Microsoft 365 Defender: Understanding Unified Security Architecture
Microsoft 365 Defender is not a simple security product: it is an integrated suite of services, tools and extended detection and response capabilities (XDR – Extended Detection and Response). Its objective is to concretely implement Microsoft's Zero Trust model, according to which no identity, device or application is considered trustworthy by default — everything must be verified continuously.
This article presents all the key components available in the security.microsoft.com portal, their respective functions, and priority actions to implement to secure your Microsoft 365 tenant.
Unified Portal
Since its redesign, the Microsoft Defender portal is accessible via security.microsoft.com. It centralizes all Microsoft 365 security tools in a single interface, replacing the old separate portals.
Licensing Model: Three Levels of Protection
Before exploring the features, it is essential to understand the licensing model, which directly determines the available capabilities.
| Plan | Profile | Main Capabilities |
|---|---|---|
| Exchange Online Protection (EOP) | All Microsoft 365 customers | Anti-malware, anti-spam, basic anti-phishing |
| Defender for Business / Plan 1 | SMBs and manual investigation | Threat Intelligence, threat analysis, manual remediation |
| Defender XDR (E5 / E3 + add-ons) | Enterprises with SOC | Complete suite: investigation, automated response, machine isolation, UEBA |
- EOP: included in all Microsoft 365 subscriptions, it ensures basic email protection.
- Defender Plan 1 (included in Microsoft 365 Business Premium): adds Safe Attachments, Safe Links and advanced detection capabilities.
- Defender XDR / Plan 2 (E5 or E5 Security): activates automated incident response, Attack Simulator, advanced Threat Analytics and complete integration with Defender for Identity and Defender for Endpoint.
Free Trial
The Defender portal offers 30-day trials for premium add-ons. Take advantage of this to test complete XDR capabilities before any commercial commitment.
Secure Score: Your Security Posture Dashboard
Secure Score is the recommended starting point for any administrator taking over a Microsoft 365 tenant. It provides a numeric assessment of your organization's security posture, broken down by domain:
- Identity: MFA policies, conditional access, phishing-resistant credentials
- Data: information protection, DLP, sensitivity labels
- Applications: OAuth policies, Shadow IT, Defender for Cloud Apps
- Devices: Intune compliance, patch management, attack surface
Each recommendation is accompanied by a step-by-step implementation guide, a change history and the ability to assign the action to a team member.
Sector Benchmarking
Secure Score includes a comparison with similar tenants (same sector, same size). This indicator is valuable for identifying gaps compared to market best practices.
Access: Exposure Management > Secure Score in the Defender portal.
Email and Collaboration Protection: Essential Policies
Basic Policies Included in EOP
All Microsoft 365 customers automatically benefit from the following policies via Exchange Online Protection:
- Anti-malware: 9 scanning engines in parallel
- Anti-spam: inbound and outbound filtering
- Anti-phishing: detection of impersonation attempts
These policies are accessible via Email & Collaboration > Policies & Rules > Threat Policies.
Safe Attachments: The First Line of Defense
Safe Attachments is one of the most critical features available with Defender Plan 1 (Business Premium, E5, E3 + Defender add-on). Its operation is based on a detonation mechanism:
- The message is delivered to the user without the attachment
- The attachment is executed in an isolated sandbox environment
- Analysis verifies: code execution, registry calls, malicious behaviors
- If the attachment is safe, it is reattached and delivered (delay of a few seconds)
- If it is malicious, it is permanently deleted
Access Safe Attachments policies
In the Defender portal, navigate to Email & Collaboration > Policies & Rules > Threat Policies > Safe Attachments.
Create a new policy
Click Create and name your policy. Define the scope: individual users, groups (e.g., Sales & Marketing) or entire domain.
Configure the action
Choose the Dynamic Delivery action (recommended in production) to deliver the message without delay while analyzing the attachment in the background. The Block option is more restrictive but may impact productivity.
Configure redirection (optional)
Enable redirection to a dedicated monitoring mailbox for blocked attachments. Useful for SOC teams wishing to analyze malicious artifacts.
Mandatory Activation
Safe Attachments is disabled by default. If you have the appropriate license, its activation is an absolute priority. Do not leave this feature inactive in your production environment.
Safe Links: Protection Against Malicious URLs
Safe Links protects your users against more than 4 billion known and unknown malicious links. It operates in real-time on:
- Outlook emails
- Microsoft Teams messages
- Office documents
The behavior is as follows:
- Link being analyzed: yellow visual indicator
- Malicious link detected: blocking with red warning page
- Safe link: transparent redirection to destination
Configuration is similar to Safe Attachments: Email & Collaboration > Policies & Rules > Threat Policies > Safe Links. Default settings are sufficient in most cases for immediate protection.
Attack Simulator: Test Human Resilience
Available with Defender Plan 2 (E5 / E3 + add-on), Attack Simulator allows you to launch simulated phishing campaigns against your own users. Key features include:
- Library of templates based on latest real attack techniques
- Targeting by group, department or individual user
- Automatic training modules for users who click on lures
- Follow-up reports: click-through rate, reporting rate, progression over time
Microsoft Reference
Official documentation: Attack simulation training in Microsoft Defender
Defender for Identity: Securing Active Directory and Hybrid Identities
Defender for Identity monitors the behavior of user accounts and entities through UEBA (User and Entity Behavior Analytics). It is particularly effective in hybrid environments using on-premises Active Directory.
Deploying the Sensor on Domain Controllers
Access Identity Settings
In the Defender portal, navigate to Settings > Identities to access Defender for Identity configuration.
Download and Install the Sensor
Download the sensor installation package directly from the portal. Run it on each Active Directory domain controller to monitor.
Configure the Access Key
During installation, enter the access key generated from the Defender portal. This key establishes the secure connection between the sensor and the cloud service.
Verify Data Upload
Once the sensor is active, the Identities dashboard begins displaying activities, behavioral alerts and potential attack paths.
The sensor analyzes in real-time:
- Pass-the-hash and pass-the-ticket attacks
- Attempts at LDAP reconnaissance
- Suspicious modifications to privileged groups
- Abnormal login behaviors (time, location, frequency)
Microsoft Reference
Official deployment guide: Deploy Microsoft Defender for Identity sensors
Defender for Endpoint: Protecting Workstations and Servers
Defender for Endpoint covers all endpoints: Windows, macOS, Linux, iOS and Android devices. Onboarding can be performed via multiple methods.
PowerShell Script for Post-Onboarding Verification
After deployment, you can verify that the Defender for Endpoint service is active on a Windows computer with the following script:
1# Verification of the Sense service status (Defender for Endpoint)2$service = Get-Service -Name "Sense" -ErrorAction SilentlyContinue3 4if ($service) {5 Write-Host "Defender for Endpoint - Status: $($service.Status)" -ForegroundColor Green6 7 # Verification of sensor version8 $defenderInfo = Get-MpComputerStatus9 Write-Host "MDE Platform Version: $($defenderInfo.AMProductVersion)"10 Write-Host "Latest Signature Update: $($defenderInfo.AntivirusSignatureLastUpdated)"11} else {12 Write-Host "The Sense service was not found. Onboarding was not completed." -ForegroundColor Red13}PowerShell Script for Bulk Onboarding via Intune (Compliance Verification)
1# Verification of MDE onboarding on multiple machines via Get-MgDevice (Microsoft Graph)2# Prerequisites: Microsoft.Graph module installed and connected3 4Connect-MgGraph -Scopes "Device.Read.All"5 6$devices = Get-MgDevice -All | Select-Object DisplayName, OperatingSystem, OperatingSystemVersion, TrustType7 8foreach ($device in $devices) {9 Write-Output "[$($device.DisplayName)] OS: $($device.OperatingSystem) $($device.OperatingSystemVersion) | Trust: $($device.TrustType)"10}Available Onboarding Methods
- Microsoft Intune: recommended method for cloud-first and hybrid environments
- Group Policy (GPO): for on-premises Active Directory environments
- Local Script: manual deployment or via SCCM
- Microsoft Defender for Cloud: for Azure virtual machines
Configuration access is done via Settings > Endpoints > Onboarding in the Defender portal.
Included PowerShell Script
The onboarding package downloaded from the Defender portal includes a PowerShell validation script (WindowsDefenderATPOnboardingScript.cmd) that verifies the agent is properly installed and communicating with the cloud service.
Threat Intelligence: Anticipating Emerging Threats
The Threat Intelligence > Threat Analytics section is designed for SOC analysts. It provides:
- Microsoft analyst reports on active threats (APT groups, ransomware, MITRE ATT&CK techniques)
- Impact on your tenant: do you have endpoints exposed to this threat?
- Indicators of Compromise (IoC) associated
- Recommended actions with prioritization
- Patching status of your endpoints against exploited CVEs
Microsoft Reference
Complete documentation: Threat analytics in Microsoft Defender XDR
Exposure Management: Visualize and Reduce Attack Surface
The Exposure Management section provides a consolidated view of your organization's attack surface:
- Attack Surface Map: mapping of potential attack paths
- Vulnerability Management: CVEs detected on your endpoints, with CVSS score and available patch
- Secure Score: (see dedicated section above)
- Data Connectors: integration of third-party sources (AWS, GCP, SIEM tools)
Microsoft 365 Defender Components Summary
| Component | Protects What? | Minimum License |
|---|---|---|
| Exchange Online Protection | Inbound/Outbound Email | All M365 licenses |
| Safe Attachments | Malicious Attachments | Business Premium / Plan 1 |
| Safe Links | Malicious URLs | Business Premium / Plan 1 |
| Attack Simulator | User Awareness | Plan 2 / E5 |
| Defender for Identity | AD Identities and Hybrid | Plan 2 / E5 |
| Defender for Endpoint | Workstations, Servers, Mobile | Plan 1 / Plan 2 |
| Threat Analytics | Threat Intelligence | Plan 2 / E5 |
| Exposure Management | Overall Attack Surface | E5 / E5 Security |
Conclusion: Where to Start?
Given the wealth of available components, here are the recommended action priorities for an effective start with Microsoft 365 Defender:
- Consult Secure Score and address high-impact recommendations (MFA, Conditional Access)
- Enable Safe Attachments and Safe Links immediately if you have the appropriate licenses
- Deploy the Defender for Identity sensor on your AD domain controllers
- Onboard your endpoints via Intune to benefit from EDR protection
- Consult Threat Analytics regularly to stay informed about active threats
- Launch an Attack Simulator campaign to measure your users' resilience
Licensing Prerequisites
Always verify your active licenses before configuring features. Some options (Attack Simulator, complete Threat Analytics, Defender for Identity) require Microsoft 365 E5 or specific add-ons. Use the Microsoft 365 Licensing Diagrams as a reference: M365 Maps.
To learn more, explore the training resources available directly in the Defender portal via Learning Hub, which points to official Microsoft Learn paths.



