Use the Microsoft Defender portal

Completed

The Microsoft Defender portal (https://security.microsoft.com/) is a specialized workspace designed to meet the needs of security teams. These solutions are integrated across Microsoft 365 services and provide actionable insights to help reduce risks and safeguard your digital estate.

You can investigate the alerts that affect your network, understand what they mean, and collate evidence associated with the incidents so that you can devise an effective remediation plan.

The Home page shows many of the common cards that security teams need. The composition of cards and data is dependent on the user's role. Because the Microsoft Defender portal uses role-based access control, different roles see cards that are more meaningful to their day-to-day jobs.

This at-a-glance information helps you keep up with the latest activities in your organization. The Microsoft Defender portal brings together signals from different sources to present a holistic view of your Microsoft 365 environment.

The Microsoft Defender portal combines protection, detection, investigation, and response to email, collaboration, identity, device, and app threats, in a central place.

This single pane of glass brings together functionality from existing Microsoft security portals, like the Microsoft Defender portal and the Office 365 Security & compliance portal. The Microsoft Defender portal emphasizes quick access to information, simpler layouts, and bringing related information together for easier use. It includes:

  • Microsoft Defender for Office 365 - Microsoft Defender for Office 365 helps organizations secure their enterprise with a set of prevention, detection, investigation and hunting features to protect email, and Office 365 resources.
  • Microsoft Defender for Endpoint - Delivers preventative protection, post-breach detection, automated investigation, and response for devices in your organization.
  • Microsoft Defender XDR - is part of Microsoft’s Extended Detection and Response (XDR) solution that uses the Microsoft 365 security portfolio to automatically analyze threat data across domains, and build a picture of an attack on a single dashboard.
  • Microsoft Defender for Cloud Apps - Is a comprehensive cross-SaaS and PaaS solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps.
  • Microsoft Defender for Identity - Is a cloud-based security solution that uses your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
  • Microsoft Defender Vulnerability Management - Delivers continuous asset visibility, intelligent risk-based assessments, and built-in remediation tools to help your security and IT teams prioritize and address critical vulnerabilities and misconfigurations across your organization.
  • Microsoft Defender for IoT - Operational Technology (OT) involves the specialized hardware and software used to monitor and control physical processes in critical sectors such as manufacturing, utilities, pharmaceuticals, and more. Microsoft Defender for IoT, available within the Microsoft Defender portal, is designed to secure OT environments.
  • Microsoft Sentinel - Integrate Microsoft Defender XDR with Microsoft Sentinel to stream all Defender XDR incidents and advanced hunting events into Microsoft Sentinel and keep the incidents and events synchronized between the Azure and Microsoft Defender portals.

The More resources option in the portal provides a list of these related portals:

Portal Description
Microsoft Purview compliance portal Manage your compliance needs across Microsoft 365 services using integrated solutions for information governance, classification, case management, and more.
Microsoft Entra ID Manage your organization's identities. Set up multifactor authentication, track user sign-ins, edit company branding, and more.
Microsoft Entra ID Protection Detect potential vulnerabilities affecting your organization's identities. Investigate suspicious incidents related to your organization's identities and set up automated responses to resolve them.
Azure Information Protection Configure and manage the Azure Information Protection client and scanner to automatically classify and protect your organization's email and docs. Use reports to monitor label usage and identify sensitive info that should be protected.
Microsoft Defender for Cloud Protect your data centers and get advanced threat protection for your Azure and non-Azure workloads in the cloud and on premises. Secure your Azure services fast with autoprovisioned, native protection.

Note

Microsoft Defender for Business is a licensing model designed especially for the small and medium-sized business (up to 300 employees). You might find Microsoft Defender portal content in the documentation section of Microsoft Defender for Business. The solutions use the same portal (https://security.microsoft.com) and therefore the documentation applies.

Required roles and permissions

The following table outlines the roles and permissions required to access each unified experience in each workload. Roles defined in the table below refer to custom roles in individual portals and aren't connected to global roles in Microsoft Entra ID, even if similarly named.

Note

Incident management requires management permissions for all products that are part of the incident.

One of the following role permission options is required for Microsoft Defender XDR One of the following role permission options is required for Defender for Endpoint One of the following roles or permission options is required for Defender for Office 365 One of the following roles is required for Defender for Cloud Apps
Viewing investigation data:
- Alert page
- Alerts queue
- Incidents
- Incident queue
- Action center
View data-security operations - View-only Manage alerts
- Organization
- configuration
- Audit logs
- View-only audit logs
- Security reader
- Security admin
- View-only recipients
- Global admin
- Security admin
- Compliance admin
- Security operator
- Security reader
- Global reader
Viewing hunting data View data-security operations - Security reader
- Security admin
- View-only recipients
- Global admin
- Security admin
- Compliance admin
- Security operator
- Security reader
- Global reader
Managing alerts and incidents Alerts investigation - Manage alerts
- Security admin
- Global admin
- Security admin
- Compliance admin
- Security operator
- Security reader
Action center remediation Active remediation actions – security operations Search and purge
Setting custom detections Manage security settings - Manage alerts
- Security admin
- Global admin
- Security admin
- Compliance admin
- Security operator
- Security reader
- Global reader
Threat Analytics Alerts and incidents data:
- View data - security operations

Threat and Vulnerability Management (TVM) mitigations:
- View data - Threat and vulnerability management
Alerts and incidents data:
- View-only Manage alerts
- Manage alerts
- Organization configuration
- Audit logs
- View-only audit logs
- Security reader
- Security admin
- View-only recipients

Prevented email attempts:
- Security reader
- Security admin
- View-only recipients
Not available for Defender for Cloud Apps or MDI users

For more information about the required roles and permissions for the Microsoft Defender portal, see Microsoft Defender - Create and manage roles for role-based access control.

Interactive Lab Simulation

Note

Select the thumbnail image to start the lab simulation. When you're done, be sure to return to this page so you can continue learning.

Screenshot of the lab simulation page.