The Security Feature Most Microsoft 365 Admins Ignore

image

One of the first things I do when looking at a Microsoft 365 environment is check what security is actually doing. Not what has been configured. Not what the Secure Score says. Not what someone remembers setting up six months ago. I want to see what is really happening right now.

That’s why I’m a big fan of the reporting options built into Microsoft Defender for Office 365.

Too many organisations spend time configuring Safe Links, Safe Attachments, anti-phishing policies and quarantine settings, then never look back. The assumption is that because the settings exist, they must be working. In reality, security is something you need to measure continuously, not configure once and forget. The Microsoft documentation highlights a range of Defender for Office 365 reports that provide visibility into how email protection is performing and what threats are being stopped before they reach users. View Defender for Office 365 reports [learn.microsoft.com]

Security Is About Evidence

I regularly see organisations investing in security tools but struggling to answer simple questions:

  • How much phishing is being blocked?

  • Are malicious attachments being detected?

  • How quickly is email being processed?

  • Are threats still arriving in user mailboxes?

The Defender reports help answer those questions.

The real value isn’t the graphs and dashboards. The value comes from having evidence. Security conversations change dramatically when you can point to data rather than assumptions.

Imagine sitting down with management and showing that thousands of malicious messages were blocked last month before users ever saw them. That’s a much stronger discussion than simply saying, “Our email security is working.”

It’s Not Just About Blocking Threats

One report that often catches my attention is mail latency. Security processing adds time to message delivery, particularly when attachments need deeper inspection. The report helps you understand whether protection measures are impacting mail flow. Mail latency report [learn.microsoft.com]

Another area worth reviewing is post-delivery activity. No security platform catches everything immediately. Sometimes a threat is identified after a message has already arrived in a mailbox. Defender’s automated remediation features can remove those messages automatically, but unless you’re reviewing reports, you may never know how often that’s happening. Post-delivery activities report [learn.microsoft.com]

This is an important lesson for any organisation using Microsoft 365. Security isn’t only about prevention. It’s also about detection and response.

Why This Matters More in the Age of Copilot

As organisations adopt Microsoft 365 Copilot, the quality and security of their Microsoft 365 environment becomes even more important.

Copilot works across Outlook, Teams, SharePoint and OneDrive. The more information available inside Microsoft 365, the more valuable Copilot becomes. However, that also means security teams need confidence that threats are being managed effectively.

I’ve seen organisations focus heavily on Copilot deployment while overlooking the visibility tools already sitting inside Microsoft Defender. Before chasing the next AI capability, make sure you understand what is happening inside your environment today.

A practical example might be reviewing a phishing campaign shown in Defender reports and then using Microsoft 365 Copilot in Excel to analyse trends over time or prepare management summaries from the collected data. That’s a real-world workflow that combines security visibility with AI assistance.

Stop Flying Blind

One of the biggest mistakes I see in small and medium businesses is treating security as a set-and-forget exercise. Security policies get deployed, everyone feels confident, and then nobody checks whether the controls are actually delivering the expected outcome.

The Defender for Office 365 reports provide the missing feedback loop.

If you’re already paying for Microsoft Defender for Office 365 through licences such as Microsoft 365 Business Premium, E5 or Defender for Office 365 plans, these reports are often sitting there waiting to be used. Defender for Office 365 reports [learn.microsoft.com]

My recommendation is simple. Schedule time every month to review the data. Look at what is being blocked, what is slipping through, and how protection is performing over time. Trends are often more important than individual incidents.

Security isn’t about having controls. It’s about knowing whether those controls are working.

And in my experience, the organisations that regularly review their security reports are almost always in a stronger position than those that don’t.

Defender for Identity: the sensor you’ve been avoiding just got easy

MAI_8e04c152a34c15b8

Most of us treat the domain controller like furniture. It’s been in the corner for fifteen years, it works, and nobody wants to touch it.

But that DC sees everything. Every logon. Every Kerberos ticket. Every “let me just check if this service account still works” at 2am from a machine that has no business asking.

You’re sitting on the single richest source of attack signal in the whole environment, and most small-business tenants aren’t reading a word of it.

That’s not a tooling gap. That’s a switch nobody flipped.

And I get why. For years, turning on Microsoft Defender for Identity meant a download, an installer on every DC, a group managed service account, audit GPOs, and a packet-capture driver. Real work. So it sat on the “later” pile.

Later just arrived. The new sensor changes the maths completely.

What is the Defender for Identity sensor, really?

Forget the marketing. Defender for Identity is a sensor that lives on your domain controllers and watches the authentication traffic they already handle.

It’s looking for the things your antivirus will never see — lateral movement, Kerberoasting, DCSync, someone quietly enumerating your admins. The DC is the witness. The sensor just takes its statement.

Here’s what changed. The version 3 sensor — the “unified” one that went generally available late last year — doesn’t ship as its own agent anymore. It rides inside Defender for Endpoint. If Defender for Endpoint is already onboarded on your DC, the identity sensor is a few clicks in the portal. No installer. No service account. No Npcap.

One caveat before you get excited, and it’s the one MSPs trip on: this isn’t in Business Premium. You need Microsoft 365 E5, E5 Security, EMS E5, or the standalone Defender for Identity licence. Check the SKU before you promise a client anything.

Step-by-Step: turning the sensor on

Assuming Defender for Endpoint is already running on a Windows Server 2019-or-later DC that’s kept current on updates, here’s the path. Everything happens in the Microsoft Defender portal — no remoting onto the box.

Open the activation surface

Go to security.microsoft.com, then Settings > Identities. First time in, it provisions your workspace in a few seconds.

Activate the sensor

Open the Sensors (or Activation) page. Every DC that’s already onboarded to Defender for Endpoint and meets the bar shows up as eligible. Tick it, activate, done. No download, no reboot, no downtime on the DC.

Defender portal → Settings → Identities → Sensors
  [x] DC01  (eligible — Defender for Endpoint onboarded)  → Activate
  [x] DC02  (eligible — Defender for Endpoint onboarded)  → Activate

Notice what’s missing? No installer to copy. No service account to create and babysit. No access key pasted into a setup wizard. If you’ve done this the old way, that absence is the whole story.

Mind the stragglers

Version 3 only covers domain controllers on Server 2019 and later. Got an old 2016 DC, or a standalone AD FS, AD CS, or Entra Connect box? Those still need the classic v2 sensor with its installer. Mixed estates are fine — both versions report to the same workspace.

Set a honeytoken

This is the cheap win everyone skips. Under Settings > Identities > Entity tags > Honeytoken, tag a dormant account as a honeytoken. Give it a tasty name — svc-backup-admin, sql_sa_old — and never use it. Because nothing legitimate ever touches it, any authentication against it is, by definition, someone poking where they shouldn’t. High signal, almost no noise.

Why this actually changes behaviour

The sensor needs time to learn what normal looks like — figure on a few weeks per DC before the behavioural alerts settle. Don’t treat every early alert as gospel. Watch, tune, then trust.

“So I just switch it on and start blocking?”

No. You switch it on and start watching. Audit before you trust. The honeytoken is the exception — that one’s high-confidence from minute one.

Here’s the real win, and it’s a business one. Identity attacks don’t announce themselves on the endpoint. They look like a valid logon, because they are one — with stolen credentials. The DC is the one place that sees the pattern. Turn the sensor on and you’ve gone from “we’d never know” to “we’d get paged.”

For an MSP, that’s a renewal conversation, not a checkbox. “We’re watching your domain controllers for credential attacks” is something a client understands and pays for.

Defender for Identity isn’t there to add another console to your morning. It’s there so the most important server in the building finally has someone listening.

You’ve already got the witness. Go take the statement.

The remote shell you already own and never switched on

MAI_f92fd6ff5e6c3e0b


A client rings. A machine’s behaving strangely — fake-looking PowerShell, a scheduled task nobody created, something. What do most of us do?

We RDP in. Or worse, we send someone onsite.

Here’s the thing. If that device is onboarded to Defender for Endpoint, you already have a remote command line sitting right there in the portal. You can be on the box, reading its running processes, in about thirty seconds. From your desk.

Most MSPs I talk to have never turned it on. For some it’s a checkbox they walked straight past during onboarding. For others — and this is the part that trips people up — it’s a licence they didn’t realise they’re missing. Either way, it’s a gap worth closing.

What is Live Response, really?

Live Response is a secure remote shell into any onboarded device, run entirely from the Defender portal. No RDP. No VPN. No jump box. No asking a panicked user to “click the thing I just emailed you”.

You open a session and you’re talking to the machine in real time. List processes, pull a suspicious file back to the portal for analysis, kill something, drop a registry change, or run a PowerShell script you’ve pre-loaded.

Think of it as the SSH session you always wished you had for your Windows fleet — except the audit trail writes itself and you never went near the network.

Here’s the real win. The thirty minutes you used to burn coordinating remote access to a maybe-compromised box just disappears. You’re simply there.

Step-by-step: getting on the box

This lives in Live Response in Defender for Endpoint, and it needs Defender for Endpoint Plan 2.

Now read this next bit carefully, because it’s where the assumption bites. Business Premium does not give you Plan 2. Business Premium includes Defender for Business — same great EDR detections, and the basic response actions you’d expect (isolate the device, run an antivirus scan, quarantine a file). But Live Response, the remote shell, is not in Defender for Business. It’s a Plan 2-only feature.

So before you promise a client “I’ll just hop on the box,” check what they’re actually licensed for. To get Live Response onto a Business Premium tenant you need either the Defender Suite for Business Premium add-on (around $10/user/month — which also lands you Defender for Office 365 P2, Entra ID P2 and more) or a standalone Defender for Endpoint Plan 2 licence.

And one last gotcha that catches people out: even after you assign the licences, the tenant defaults to the Defender for Business experience. You have to contact Microsoft Support and ask them to switch the tenant to the Plan 2 experience before the remote shell appears. It’s a one-time thing, but it’s a ticket, not a toggle.

None of this is a reason not to do it. It’s a reason to do it deliberately — a line item on the proposal and a switch request, not a feature your client already paid for and forgot about. Honestly, for a managed-security MSP that’s the easy version of this conversation: “for ten dollars a user I can be on any sick machine in thirty seconds” sells itself.

Turn it on first

This is the step everyone misses. Even once you’re licensed, Live Response is off by default.

Go to the Microsoft Defender portal, then Settings > Endpoints > Advanced features. Flip Live Response on. If you want to push scripts to servers too, enable Live Response for Servers. Save. (Configure advanced features walks through every toggle on that page.)

There’s a second switch just below: Live Response unsigned script execution. Leave that off. I’ll come back to why.

Check who’s allowed

Live Response is gated by role. Read-only permissions can look but not touch. To actually run commands and push files, your technician group needs the right Defender permission assigned. Sort this before an incident, not during one.

Open a session

Find the device in the inventory, open its page, and click Initiate live response session. Give it a few seconds to connect, and you’ve got a prompt.

Build your library once

This is where it goes from handy to a service. From the session console — or the Library management page — you can upload PowerShell scripts and run them on demand with a single command (upload to the live response library). Write the scripts once, run them across every client tenant.

A triage runbook might look like this:

run Get-RunningProcesses.ps1
run Get-PersistenceItems.ps1
run Collect-EventLogs.ps1
getfile "C:\Users\Public\suspicious.exe"

Notice what’s missing? No RDP credentials. No copying scripts onto the box and hoping nobody double-clicks them. No “can you read me the error message”. You point at the device, run a vetted script, pull the evidence back. Same four commands, every tenant, every time.

Why this actually changes behaviour

“We don’t touch the machine until we know what we’re dealing with.”

That used to mean waiting. Now it means a thirty-second session and a script you wrote last month.

Here’s what shifts. Triage stops being a scheduling problem and becomes a muscle. Your L1 can open a session and run the runbook before escalating, which means your L3 gets a tidy evidence pack instead of a vague ticket. The work moves down a tier and your senior people stay doing senior work.

And that unsigned-scripts toggle I told you to leave off? That’s the discipline. If every script in your library is signed, a compromised technician account can’t quietly run arbitrary code across your clients’ fleets through your own tooling. Convenience that becomes an attack path isn’t convenience. Leave it off.

If you’re selling managed Defender and you’re still RDP-ing in to triage, you’re billing time for a problem Microsoft already solved for you — assuming you’ve licensed the fix.

Live Response isn’t there to make remote access faster. It’s there to make “let me get on the machine” a non-event.

Check which tenants are licensed, turn it on this week, and the next incident will thank you.

Defender for Endpoint Web Filtering

image

A client rings up. Staff are burning half the day on betting sites, or someone clicked something they shouldn’t have, and now they want you to “lock down the web.”

So you go and price a web filter. Cisco Umbrella, DNSFilter, a firewall add-on. Another line item, another agent, another renewal to babysit.

Stop.

If that client is on Microsoft 365 Business Premium, you already sold them a web filter. It’s been sitting inside Defender, switched off, the whole time.

That’s not an upsell. That’s a setting.

What is web content filtering, really?

It watches where your devices go on the web and lets you block whole categories of sites by name. Gambling. Adult content. Peer-to-peer. Hacking. You tick a category, and people in the groups you choose stop being able to reach it, whether they’re in the office or working from a café.

Microsoft calls it web content filtering, and it rides on protection that’s already on the machine. In Edge, the blocks are enforced by SmartScreen. In Chrome, Firefox, Brave and Opera, they lean on network protection. Both of those have to be switched on, or nothing happens.

Here’s the part most people miss. Any category you don’t block gets audited automatically. So before you stop a single site, you get a report of exactly where your client’s staff have been going.

You can’t filter what you can’t see. So start by seeing.

Step-by-Step: turn it on, then point it at something
Switch on the feature

In the Microsoft Defender portal, go to Settings > Endpoints > Advanced features and flip Web content filtering to On. Save.

Create a policy and just watch

Go to Settings > Endpoints > Rules > Web content filtering and add a policy. Target a device group. Don’t block your client’s contentious categories yet. Let the audit data build.

Read the report

Open Reports > Web protection and look at the Web activity by category card. Give it time, there’s up to a 12-hour lag before activity shows up. This is the bit that changes the conversation. You’re no longer guessing what staff do online. You’re looking at it.

Block what actually matters

Now edit the policy and tick the categories the report told you to care about.

Microsoft Defender portal → Settings → Endpoints
   Advanced features → Web content filtering = On
   Rules → Web content filtering → + Add policy
Reports → Web protection → Web activity by category

Notice what’s missing? No PowerShell. No third agent. No new licence. Every step lives in a portal your client is already paying for.

Why this actually changes behaviour

Because you walk into the renewal with evidence, not a hunch.

“Here are 4,000 hits to gambling sites last month, off three machines.” That’s a discussion the business owner can act on. A quote for Umbrella is just a number they’ll push back on.

“But we already quoted them a web filter.” Fine. Now you can show them what they’d be paying for, and that they already own it.

A few things will bite you if you’re not watching for them:

  • Edge uses SmartScreen, everything else uses network protection. If network protection is in audit mode or off, your blocks are theatre. Lovely report, no enforcement.

  • Non-Microsoft browsers won’t honour HTTPS category blocks unless QUIC and Encrypted Client Hello are disabled. Leave them on and Chrome quietly routes around you.

  • Expect lag. Up to 12 hours before activity lands in the report, up to two hours before a block bites. Don’t test it in the first five minutes and declare it broken.

And when you genuinely need an exception, you don’t loosen the whole category. You carve out one site with a custom indicator, which sits above the filter in the order of precedence. Allow always wins over block. That’s your release valve when the boss insists on one specific site.

Run the audit, read the Web protection report, then block with proof in hand.

Web content filtering isn’t there to add a product to your stack. It’s there to delete one.

If you’re billing a client for a separate web filter on top of Business Premium, you’re charging them for something they already own. Show them the report instead.

That’s not filtering. That’s value you can prove.

Defender Vulnerability Management

image

Most people treat Defender Vulnerability Management like a weather report. They glance at the exposure score, nod, and close the tab.

That’s a waste.

The score isn’t the point. The workflow behind it is. And the part almost nobody uses — the bit that actually moves the needle — is the security baselines assessment sitting right next to it.

Here’s the thing. Patching tells you whether software is current. A baseline tells you whether it’s configured the way it’s supposed to be. Those are two completely different questions, and the second one is where most SMB environments quietly fall apart.

What are security baselines, really?

A baseline is a benchmark of configuration settings — things like password policy, BitLocker, account lockout, audit logging — measured against an industry profile.

In Defender, you assess your devices against the CIS or STIG benchmarks, pick a level (L1 is sensible-default, L2 is locked-down), and the tool tells you, device by device, setting by setting, where you comply and where you don’t.

Not “you’re missing 14 patches.” More like “BitLocker isn’t enforced on 9 machines and your audit policy is wide open.” That’s the stuff attackers love and scanners ignore.

The security baselines assessment documentation walks through the profile options if you want the full menu.

Step-by-Step: Build a baseline profile

You’ll need Defender for Endpoint Plan 2 with the MDVM add-on, or the MDVM Standalone licence. Then head to the Microsoft Defender portalExposure managementBaselines assessment.

Create the profile

Give it a name, choose your benchmark (CIS or STIG), choose your OS, choose your level. Start at L1. You can tighten later — leading with L2 just buries you in red.

Scope it to a device group

Don’t boil the ocean. Point it at one group — a handful of servers, or the managed laptops — and let it run.

Read the results by setting, not by score

Open the profile and sort by compliance. Each failing setting lists exactly which devices miss it. This is your work queue.

Now the part that earns its keep: exceptions

Here’s the reality every MSP knows. Some findings you can’t fix. The line-of-business app needs that legacy setting. The client won’t approve the downtime. The vendor says “don’t touch it.”

So what do most people do? Nothing. The finding sits there, red, forever — and after a while everyone stops looking because the dashboard is always angry.

That’s the trap. A permanently-red dashboard is the same as no dashboard.

The fix is the exception workflow. When you genuinely can’t remediate something, you file an exception — with a justification and an expiry date — and that finding drops out of your active exposure number. It doesn’t vanish. It’s parked, documented, and time-boxed.

Request the remediation first

For anything you can fix, connect Defender to Intune (it’s a toggle in the portal) and raise a remediation request straight from the recommendation. It lands in Intune as a tracked task instead of a Post-it note. The remediation request process covers the Intune connection.

File an exception for the rest

For the genuine “we can’t touch that,” create an exception with a real reason and a review date. The exceptions overview explains the justification types and how exceptions affect your exposure score.

“Doesn’t an exception just hide the problem?”

No. Hiding is when you ignore the red and hope. An exception is a decision — recorded, owned, and due for review. The difference is accountability.

Why this actually changes behaviour

Once you’re running baselines plus a disciplined exception workflow, “we can’t patch that one” stops being a silent gap. It becomes a documented, time-boxed choice with someone’s name on it.

That’s not a security feature. That’s a governance habit.

And it’s the exact thing that turns a vague “yeah, we’re secure” into a report you can hand a client.

If you’re not showing your clients their baseline posture and the exceptions you’ve signed off on, you’re leaving value — and trust — on the table.

The exposure score was never the deliverable. The conversation it lets you have is.

Defender for Cloud Apps session policy

image

Most MSPs treat Conditional Access as a light switch. Allow or block. Compliant device or not.

That works right up until a director needs OneDrive from a hotel laptop. Or a contractor needs SharePoint from a personal Mac. So you carve an exception, and the exception slowly becomes the policy.

There’s a third option sitting between allow and block. Almost no one in the SMB world turns it on.

It’s called a session policy, and it lives inside Defender for Cloud Apps. If your client is on E5 or Microsoft 365 E5 Security, they’re already paying for it.

What is a session policy, really?

A session policy is a real-time guardrail that fires after the user signs in. It rides along inside the browser tab.

It can block a download. It can block an upload. It can block copy-paste. It can force a sensitivity label on a file before it leaves OneDrive. It can make a user re-prove MFA before doing something sensitive — all without touching the device.

That’s not access control. That’s session control. Think of it as a referee inside the meeting, not a bouncer at the door.

It needs two pieces to fire. A Conditional Access policy in Entra ID that routes the session through Defender for Cloud Apps using Conditional Access App Control. And a matching session policy in the Defender portal that decides what to do once the session is in flight. Microsoft’s own Conditional Access app control overview is worth a read because it shows the reverse-proxy path the session actually takes.

One licensing note. Defender for Cloud Apps is not in Business Premium. You need E5, M365 E5 Security, or the standalone MDCA add-on. Plenty of SMBs already have it bundled and never realise.

Step-by-Step: blocking download to unmanaged devices

The killer scenario. Someone signs in to OneDrive from a personal laptop. They can read. They can edit in the browser. They cannot save a single file locally. No agent, no Intune enrolment, no work touching their device.

Build the Conditional Access policy

In the Microsoft Entra admin centre, go to Protection > Conditional Access > Policies and start a new policy. Scope it to your pilot group. For the cloud app, choose Office 365. Leave Grant on Grant access with no requirements — the heavy lifting happens elsewhere.

Turn on App Control

In the Session block, tick Use Conditional Access App Control and pick Use custom policy from the dropdown. That single tick is what tells Entra to hand the session to Defender. The full guidance lives in the Microsoft Learn how-to.

Move to the Defender portal

Now jump to security.microsoft.com. Under Cloud apps > Policies > Policy management, create a new Session policy. Start from the Block download based on real-time content inspection template — it saves a lot of clicks.

Filter to OneDrive and unmanaged devices

Set Activity source to Office 365 > OneDrive for Business. Add a filter: Device tag = Unmanaged. The action becomes Block file download.

Write a real block message

Don’t ship the Microsoft default. Tell the user why the file won’t download and what to do next. A blank “blocked by policy” page makes users fight the system and ring the helpdesk.

Run it in monitor-only first

Set the policy to Monitor only for a week. Watch the activity log. Confirm you’re catching the right sessions, on the right apps, against the right users. Then flip to Block. Microsoft’s create-a-session-policy walkthrough covers the screens for both modes.

Why this actually changes behaviour

Here’s the real win. Your director still gets OneDrive on the hotel laptop. The board paper opens in the browser. They can read it, comment on it, work through it.

They cannot drop it into the hotel laptop’s downloads folder.

That’s not a compromise. That’s the policy doing what you actually wanted the whole time.

“But why can’t I just block unmanaged devices outright?”

You can. You’ll also block every legitimate contractor, every guest reviewer, every consultant on a personal machine. Block is a single-use tool. Session policy is a scalpel.

Notice what’s missing? No agent on the device. No MDM. No certificate enrolment. The browser gets reverse-proxied through an *.mcas.ms URL and the session is policed in flight. Edge users get it in-browser with no URL change.

A copy-paste summary of what you’ve actually built looks like this:

Session policy: OneDrive – Block download from unmanaged
  Activity source : Office 365 → OneDrive for Business
  Device filter   : Device tag = Unmanaged
  Action          : Block file download
  Block message   : Custom — explain WHY + WHAT TO DO
  Content scan    : All files
  Phase           : Monitor → Block after 7 days

Notice what’s not in there. No list of apps. No list of file types. The whole policy keys off the device tag, because that’s the bit you can trust — Entra knows whether a device is compliant or unmanaged; the user can’t lie about it.

Where MSPs trip up

Three things bite people on the first rollout.

  • The Conditional Access policy must include the session control. If App Control isn’t ticked in CA, nothing routes to Defender. Many MSPs build the two policies as separate stories. They’re one story.

  • Native clients bypass MDCA. Outlook desktop, OneDrive sync, Teams desktop — none of them route through the reverse proxy. If you genuinely need to force browser, use the Entra session control Use app enforced restrictions on top, and read the Conditional Access session controls page before you go further.

  • Certificate chains matter. If the SaaS app has a partial chain, the proxy goes sideways. Test before you scope wide.
My recommendation

If you’ve got a client on E5 or M365 E5 Security and you’re not running at least one session policy, you’re leaving the most valuable thing in their stack switched off. Walk in next Monday with exactly one policy — block download from unmanaged for OneDrive. Monitor for a week. Flip to block. Show them the activity log.

Session policies aren’t there to keep users out. They’re there to let them in without the data following them out.

Defender XDR unified incident queue

image

Most MSPs I talk to are still triaging Defender alerts one console at a time. Open Defender for Endpoint, jump to Defender for Office 365, check Entra sign-in logs, back to the device timeline. Five tabs, five clocks, no story.

That’s not response. That’s archaeology.

Defender XDR fixed this. The unified incident queue sits in the Microsoft Defender portal and stitches signals from Endpoint, Office 365, Identity, Cloud Apps and Entra into a single container called an incident. One incident, one timeline, one place to act.

If you’re still working from individual alert lists, you’re doing the correlation work the platform already did for you.

What is the unified incident queue, really?

An alert is one signal — a flagged email, a process anomaly, a risky sign-in. An incident is what Defender builds when it stitches several of those alerts into one attack story across products. Same user, same device, same attacker IP, same hour, one incident.

You stop looking at noise and start looking at attacks. Microsoft frames it exactly that way in Incidents and alerts in the Microsoft Defender portal.

Notice what’s missing? Sentinel. You don’t need it to get value from this queue.

Step-by-Step: Working an incident properly
Open the queue

In security.microsoft.com, expand Investigation & response > Incidents & alerts > Incidents. That’s your home page now. Pin it.

Triage the top of the list

Sort by Severity. For each new incident, assign an owner, set status to In progress, and add a tag like ransomware-suspect or bec-suspect so the rest of your team can filter on it. Microsoft walks through this on Manage incidents in Microsoft Defender.

Open the attack story

Inside the incident, click Attack story. You get a graph — users, devices, files, mailboxes — with events in order. This is where the correlation pays off. You’re not joining tabs in your head anymore.

Hunt for the rest of it

If the incident feels like one footprint of a bigger campaign, open Hunting > Advanced hunting and run a KQL query against the relevant table. Bookmark the Advanced hunting overview(opens in new window) — it lists every table the queue can see across all the Defender workloads.

A starter:

DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("Invoke-WebRequest","DownloadString","certutil")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine

Notice what’s missing? PowerShell. You’re not running this from a remote shell. It runs in the portal, against the same data the incident was built from. That’s the point.

Save the good queries as detections

Any hunting query you’d happily wake up to at 3am can become a custom detection rule. From Advanced hunting, hit Create detection rule. Defender runs your query on a schedule and the matches feed straight back into the incident queue. The flow is documented in the Custom detections overview.

That’s the loop. Hunt once, detect forever.

Why this actually changes behaviour

“Where do I start?” becomes “What story is Defender telling me?”

When the queue is your home page, your team stops chasing alerts and starts closing incidents. The numbers you report to clients become incidents closed, median time to triage, active attack stories — not raw alert counts nobody can interpret.

The custom detection layer is where MSPs separate themselves. The product gives you the correlations Microsoft thought of. The rules you write are the correlations your clients need. Stack a few by vertical — finance, legal, construction — and you have a productised security service the next MSP down the road doesn’t.

The unified queue isn’t there to give you fewer alerts. It’s there to make alerts something you can actually work.

Microsoft Defender for Business: The MSP Reality Check

image


The short version: Microsoft Defender for Business scored 100% detection coverage across all 16 attack steps in the 2024 MITRE ATT&CK Enterprise evaluation. It also ships with no native multi-tenant console, no included 24/7 SOC, and an admin portal MSP operators openly describe as “a damn mess.” Both facts are true. Most MSPs have only priced one of them.


If you are an MSP selling Microsoft 365 Business Premium to sub-300-seat clients, you have almost certainly had the conversation: “Does Business Premium include endpoint protection?” The answer is yes—and that is exactly where the problem starts.


Defender for Business (DfB) is not the question. The question is what an MSP is actually delivering when it ticks the Business Premium box, onboards the tenant, and moves on. This post works through the technical reality of DfB in MSP deployments: what the product genuinely does well, where the operational gaps sit, what the practitioner community has settled on as the minimum viable wrap, and what the liability exposure looks like when the wrap is missing.



1. The Detection Engine Is Real—Stop Arguing About It


Defender for Business runs the same agent technology as Defender for Endpoint Plan 2 (MDE P2), the enterprise-tier EDR included in Microsoft 365 E5. The product ships:


  • Next-generation antivirus with cloud-delivered protection and behaviour-based detection
  • Behavioural EDR—endpoint detection and response with timeline and forensic telemetry
  • Automated Investigation and Remediation (AIR)—auto-triage and containment of common threat patterns without waiting for an analyst
  • Attack Surface Reduction (ASR) rules—policy-driven controls that block the abuse of common Windows features (Office macros, LSASS access, script execution chains, etc.)
  • Web content filtering and network protection
  • Threat & Vulnerability Management (TVM)—a simplified posture view that highlights missing patches, misconfigurations, and software exposure across managed endpoints


The 2024 MITRE ATT&CK Enterprise evaluation, independently scored by MITRE Engenuity, recorded Microsoft Defender XDR at 100% detection coverage across all 16 attack steps and all 80 sub-steps. This is the same underlying agent technology DfB uses. Calling Defender for Business “just antivirus” in 2026 is not a security assessment—it is an indicator that the person has not looked at the product since 2021.


Confidence note (HIGH): The MITRE result is independently scored and publicly verifiable at attackevals.mitre-engenuity.org. G2’s 30-review aggregate for DfB sits at 4.5/5, with the dominant negative theme being “complex to configure”—not “missed threats.”


What DfB does NOT include versus MDE Plan 2 / E5


Clarity on the gaps matters because MSP decisions about upgrade paths depend on them:


  • Full Advanced Hunting with the complete KQL schema and 30-day cross-tenant query capability is absent. DfB has a stripped view only.
  • Custom detection rules at scale—the API-driven workflow for building organisation-specific KQL detections is an E5/MDE P2 feature.
  • Microsoft Threat Experts / Defender Experts for Hunting is an add-on entitlement, not included at any Business Premium tier.
  • Full TVM prioritisation workflows, including contextual risk scoring and remediation ticket integration, are more limited in DfB than in MDE P2.


For most sub-300-seat SMB clients, the missing features are not the bottleneck. The bottleneck is operational—and it starts at the management layer.



2. The Management Gap Is the Real MSP Problem


Across r/msp threads spanning August 2022 through January 2025—the most sustained practitioner conversation about DfB in MSP deployments—the dominant complaint is not detection quality. It is operability at scale.


“There is supposed to be auto remediation, but every tenant has a blank page in the settings… Logging into each tenant (delegation won’t work on these pages) is a PITA, and manually requesting remediation for the following day or later. Typical Microsoft, great idea, so lacking in cohesive execution.”

— GremlinNZ, MSP operator, r/msp canonical thread


“They need to make the Defender portal easier to use. It’s a damn mess right now.”

— ancillarycheese, MSP operator, r/msp


“We use Defender for Business WITH SentinelOne… as a stand-alone EDR solution—I wouldn’t recommend it. Without CIPP and other tools it becomes problematic to manage.”

— blindgaming, MSP operator, r/msp


The core structural problem is this: security.microsoft.com does not support delegated multi-tenant access in the same way that the Microsoft 365 admin portals do. An MSP with 40 tenants cannot manage Defender for Business alerts across all of them from a single pane of glass using native Microsoft tooling alone. Each tenant requires a separate login context. Delegation through GDAP helps with permissions but does not solve the unified-view problem.


This is not a minor UX complaint. It is a scalability ceiling. An MSP tech managing 20 tenants who needs to check for active incidents across all of them each morning is looking at 20 individual logins, 20 separate portal states, and 20 alert queues with no aggregated view. At that point, either the techs burn out or the alerts go unchecked—and in a security context, unchecked alerts are the same as no alerts.


The contrast with single-tenant environments


It is worth noting that the r/sysadmin community—practitioners managing one tenant rather than twenty—runs consistently more positive on DfB than r/msp:


“It’s pretty decent, and you’re only going to be able to do better if you move to a much higher-end EDR like CrowdStrike or SentinelOne. But Microsoft is no slouch here.”

— canadian_sysadmin, r/sysadmin


“Windows Defender for Endpoint/Business is a world leading solution. That being said it is best managed and monitored through your Microsoft 365 Business license with Intune and native management.”

— Avas_Accumulator, r/sysadmin


The split in sentiment is not about the product. It is about deployment context. In a single-tenant environment the multi-tenancy gap does not exist. In an MSP environment running 20–200 tenants, it is the dominant operational constraint.



3. Microsoft Does Not Include a 24/7 SOC with Business Premium


This is the single most consequential fact MSPs fail to communicate to clients, and the one most likely to produce a liability incident when it surfaces during a breach.


Microsoft’s managed SOC offering—Defender Experts for XDR—is sold separately. It has no public per-seat price. It is gated behind an interest form and is clearly positioned as an enterprise offering. There is no indication it is accessible to sub-300-seat SMB clients at a commercially viable price point.


The practical consequence for MSPs is blunt:


  1. DIY 24/7 monitoring—viable only for MSPs with a staffed NOC/SOC running around the clock, which is rare at the SMB-MSP tier.
  2. Defender Experts for XDR—enterprise-priced, opaque, and not practically accessible for Business Premium clients.
  3. Third-party SOC partner—Huntress, Blackpoint, Field Effect, Arctic Wolf, or Pax8-distributed MDR offerings layered on top of DfB.


The liability gap: A CFO at a 40-seat SMB hears “Business Premium includes Microsoft Defender” and reasonably concludes they have bought managed security. They have not. They have bought a detection engine. Whether anyone reads the alerts—and how fast—is entirely determined by the MSP’s service design, and if that is not documented in the MSA, neither party knows what they have bought.



4. The Minimum Viable MSP Wrap Stack


The practitioner community on r/msp has, over three years of iteration, converged on a standard architecture for running Defender for Business at MSP scale. None of the components are optional if the MSP wants to deliver an operationally sound result:


Layer 1: Access Management

GDAP (Granular Delegated Admin Privileges)—required for MSP access to customer tenants using the principle of least privilege. Replaces the legacy DAP model. Without GDAP properly configured, the MSP is either operating with excess privilege or managing access manually per tenant—neither is acceptable from a security or audit perspective.


Layer 2: Multi-Tenant Management

Choose one or more of:

  • Microsoft 365 Lighthouse—Microsoft’s own multi-tenant management portal for MSPs serving SMB clients. Provides an aggregated view of device compliance, alerts, and user risk across tenants. Improving but still limited for deep Defender operations.
  • CIPP (Community Intune and Partner Portal)—open-source MSP management platform with strong M365 coverage. Widely used in the community for tenant management, user operations, and policy deployment.
  • Inforcer—commercial MSP management layer with strong Business Premium policy management. Specifically designed for MSPs running large numbers of Microsoft tenants.


Layer 3: Policy Hardening

Intune-enforced security policies are the mechanism by which ASR rules, device compliance baselines, and Defender configuration actually land on endpoints. DfB in default configuration is not a hardened deployment. An MSP that onboards a tenant, enables DfB, and does not push a policy baseline is leaving a significant proportion of the product’s protective capability unused.

Critical policies that must be configured intentionally:

  • ASR rules—in Audit mode by default; must be switched to Block mode per rule after validating impact
  • AIR configuration—automated remediation level (Full vs. Semi-require-approval) per device group
  • Tamper protection—on by default in DfB but worth verifying across all enrolled devices
  • Network protection and web content filtering category configuration
  • Device isolation policy for high-severity incidents


Layer 4: The 24/7 SOC Layer

The alert that fires at 7:14pm on a Friday needs to be read and acted on within minutes, not at 9am Monday. For most MSPs this means a third-party MDR partner. The most commonly recommended option in the practitioner community is Huntress Managed EDR.


“Ditch your current AV spend for Huntress and use Microsoft Defender. Huntress manages a lot of the MS Defender features… from a multi-tenant monitoring/management/alerting perspective, this is the best solution on the market today.”

— amw3000, MSP operator, r/msp canonical thread (consistently upvoted 2022–2025)


Huntress was named a Microsoft Verified SMB Solution in November 2024 and announced an expanded Microsoft Defender collaboration in July 2025. The fact that Huntress chose to build on Defender rather than displace it is the strongest possible product-level endorsement of the DfB engine—and simultaneously the clearest acknowledgement that the engine alone is not sufficient for MSP-scale operations.

Alternatives to Huntress for the SOC layer: Blackpoint Cyber, Field Effect, Arctic Wolf, and Pax8-distributed MDR offerings. The choice of partner matters less than the fact that a choice has been made and that it is priced into the client’s service agreement.



5. What Happens When the Wrap Is Missing


A 40-seat accounting firm signs onto Business Premium on the MSP’s recommendation. The MSP onboards them in a week—Intune basic policy, MFA, Conditional Access, Defender for Business switched on across all endpoints. The client’s CFO asks once whether they are now “covered” for ransomware. The MSP says yes, in writing. Eleven months pass without an alert worth investigating.

On a Friday in month twelve, a partner clicks a payroll-themed phishing link from a hotel Wi-Fi. Defender flags the executable, isolates the device, and writes the incident to the security portal at 7:14pm. Nobody opens the portal until Monday at 9am. By then the attacker has used the seventy-two-hour window to pivot through the partner’s saved credentials into the firm’s tax software vendor and exfiltrate two seasons of client returns.

The post-incident review is short. The detection worked. The agent did exactly what Microsoft’s MITRE result said it would. What did not work was the part that was never bought, never built, and never priced—the layer that reads the alert at 7:14pm on a Friday and acts on it. The MSP had sold a licence. The client had assumed they bought a service. Both were correct. Both were also wrong about what the other one meant.



6. The Cost Economics—Why DfB + Wrap Beats the Alternatives


The Business Premium upgrade conversation is often framed as “is Defender for Business worth $9.50 per user per month?” That is not the right question. The $9.50 Business Standard to Business Premium delta delivers:


  • Defender for Business (EDR)
  • Microsoft Intune (MDM/MAM)
  • Azure Information Protection / Microsoft Purview Information Protection
  • Conditional Access (Entra ID P1)
  • Defender for Office 365 Plan 1 (anti-phishing, Safe Links, Safe Attachments)


Valued individually, the $9.50 delta is almost always defensible for any SMB with more than a basic threat profile. The correct question is whether the MSP has priced the wrap on top of it—because that is what determines whether the $9.50 produces security outcomes or merely a compliance checkbox.


Product Price Notes
M365 Business Standard $12.50 / user / month No EDR included
M365 Business Premium $22.00 / user / month DfB + Intune + CA + AIP + Defender for Office 365 P1
Defender for Business (standalone) $3.00 / user / month EDR only, same 300-seat cap
MDE Plan 2 (standalone) $5.20 / device / month Full EDR + Advanced Hunting + Threat Experts eligibility
CrowdStrike Falcon Go $59.99 / device / year (~$5.00/month) Closest single-vendor SMB alternative
Huntress Managed EDR Per-agent (contact Huntress) Layered on top of DfB; includes 24/7 SOC and <8 min median response


For clients already paying $22.00/user for Business Premium, DfB is sunk cost. The marginal question is the SOC layer—and layering Huntress on top of the included DfB engine almost always produces better economics than replacing Defender with a competing EDR, because the competing EDR still does not include 24/7 human response at the Huntress price point.



7. When to Move Beyond Defender for Business


DfB has a hard ceiling of 300 seats per tenant. At 301 users, the organisation must move to Microsoft 365 E3 (which includes MDE Plan 1) or E5 (which includes MDE Plan 2). This is a contractual limit, not a technical one.


The soft thresholds where MSP guidance should flip to E5 / MDE P2 before reaching 300 seats:


  • Regulated workloads—HIPAA, PCI-DSS, CMMC Level 2 or higher. These require documented custom detections, extended retention, and SOC reporting that DfB’s simplified tooling cannot produce.
  • Elevated threat profile—clients with significant third-party integrations, supply-chain exposure, high-value IP, or a documented history of targeted attacks. The Advanced Hunting / KQL gap becomes material at this profile.
  • Contractual SOC requirement—clients whose cyber insurance, board mandate, or regulator requires a named 24/7 SOC with documented SLAs. Defender Experts for XDR or a contracted MDR partner with E5 tooling is the appropriate response.
  • Multi-geo or cross-tenant consolidation—organisations with subsidiaries or complex ownership structures where cross-tenant Advanced Hunting is operationally required.



8. The Framework That Settles the Debate


“I see far too many MSPs ‘turn on’ Defender for Business and then move on. That’s not implementation. That’s box-ticking. Defender for Business is a serious security platform—but only if it’s deployed properly, configured intentionally, and monitored consistently.”

Robert Crane, CIAOPS, Microsoft MVP


This is the most useful single sentence for framing the MSP decision. The product does what it says. The gap is not in the technology—it is in the implementation discipline. Specifically:


  • Deployed properly—GDAP configured, all endpoints enrolled in Intune, DfB policy pushed to all device groups, not just the easy ones.
  • Configured intentionally—ASR rules reviewed and moved to Block mode per environment; AIR level set deliberately (Full automation for most SMB, semi-require-approval for environments where business operations cannot tolerate false-positive isolations); TVM findings reviewed on a scheduled cadence.
  • Monitored consistently—a named process, supported by a named tool or partner, that reads and acts on alerts within a defined SLA. Not “we check the portal when we think of it.”


The MSPs failing with DfB are not failing because the product does not detect threats. They are failing because they have sold a licence and delivered an engine, when what the client needs is the engine plus the configured policies plus the monitoring layer that makes the engine operationally useful.



9. Alert Volume and the Noise Question


Microsoft’s official position after MITRE ATT&CK Enterprise 2024 is high detection coverage with minimal false positives. SentinelOne’s competing write-up of the same evaluation claimed their product produced “88% less noise” than Microsoft. As a competitor source this requires appropriate scepticism, but the directional claim aligns with MSP practitioner experience: DfB in default configuration, across a large number of tenants, produces significant alert volume.


The relevant counter-evidence:


  • AIR is a genuine differentiator. Multiple MSP operators note that Automated Investigation and Remediation catches and closes the majority of routine alerts before a tech ever sees a ticket. The noise problem is substantially worse for MSPs who have AIR configured at Semi (manual approval) than for those running Full automation.
  • TVM is useful in passive mode. Even without active alert response, DfB’s vulnerability and posture data surfaces actionable hardening recommendations that are independent of alert volume.
  • The noise threshold varies by ASR rule configuration. An environment with ASR rules tuned against the specific application baseline will generate substantially fewer false positives than one running with audit-mode defaults or globally applied Block rules on mixed-use devices.


The practical implication: alert volume management is a configuration problem, not a product problem. MSPs who complain about noise and have not audited their ASR rule states, AIR configuration, and detection exclusions are working on the wrong variable.



10. MSP Checklist: Minimum Viable DfB Deployment


Use this as a deployment validation checklist. Each item represents a gap that, if left open, reduces the client’s actual security outcome regardless of the licence they are paying for.

Area Required Action Common Miss
Access GDAP configured with least-privilege roles for all MSP technicians Legacy DAP still in place, or GDAP roles not scoped to minimum required
Enrolment All Windows endpoints enrolled via Intune / Entra hybrid join; DfB policy applied to all device groups Unmanaged devices not onboarded; DfB policy applied only to a subset of groups
ASR Rules Each ASR rule reviewed in Audit mode, validated against app baseline, then moved to Block for applicable rules All rules left in Audit mode; Block applied globally without application validation causing false positives
AIR Automation level set to Full for standard device groups; Semi only where business continuity requires manual approval Left on default Semi requiring approval; MSP never approves pending actions; threats sit isolated but unresolved
Multi-tenant view M365 Lighthouse, CIPP, or Inforcer configured to aggregate alerts and compliance state across all tenants MSP techs logging into each tenant individually; alert review not on a defined schedule
SOC layer Named 24/7 response partner (Huntress, Blackpoint, etc.) contracted and integrated with DfB telemetry No after-hours response; client believes Business Premium = managed security
Documentation Client MSA clearly specifies what is and is not included; incident response SLA documented MSA silent on security scope; client assumes coverage that does not exist
TVM review Scheduled cadence (monthly minimum) for reviewing TVM findings and converting to remediation tickets TVM data collected but never acted on




Key Statistics


Metric Value Source
DfB standalone price $3.00 / user / month MSPoweruser
M365 Business Premium $22.00 / user / month Microsoft
M365 Business Standard $12.50 / user / month Microsoft
DfB seat cap 300 users / tenant Microsoft Learn
MITRE ATT&CK Enterprise 2024—Microsoft detection coverage 100% across 16 attack steps / 80 substeps Microsoft Security Blog, Dec 2024
SentinelOne “noise” claim vs Microsoft (MITRE 2024) “88% less noise”—competitor source SentinelOne
Huntress Managed EDR median response <8 minutes Huntress
CrowdStrike Falcon Go SMB pricing $59.99 / device / year CrowdStrike
G2 aggregate rating—DfB 4.5 / 5 (30 reviews) G2 Reviews 2026
Huntress Microsoft partnership milestone Microsoft Verified SMB Solution, November 2024 Huntress blog



Closing: The Question That Actually Matters


The debate about whether Defender for Business is “good enough EDR” has been settled since the 2024 MITRE evaluation. It is a legitimately strong detection engine. It is not a complete security program.


The question for every MSP selling Business Premium is not “is DfB real EDR?” It is: who in your organisation owns the alert at 2am on a Sunday?


If you can name that person or that service, and it is priced into the client’s agreement, and the policies are configured rather than defaulted, and TVM findings are reviewed on a schedule—then Defender for Business at sub-300 seats is extraordinarily hard to beat economically. The $9.50 Business Premium delta, plus a Huntress-tier SOC layer, competes with anything in the SMB market at a price point no competing vendor can match.


If you cannot name that person, and the client signed an MSA that does not address security scope, and the ASR rules are in Audit mode, and nobody has checked the portal since onboarding—then the client believes they have managed security and the MSP is one incident away from finding out the difference.


Turning on Defender for Business is not implementation. It is the starting line.



Sources


  1. Microsoft Learn. Compare Microsoft Defender for Business plans. learn.microsoft.com/en-us/defender-business/compare-mdb-m365-plans
  2. Microsoft Learn. What’s included in Microsoft Defender for Business. learn.microsoft.com/en-us/defender-business/mdb-overview
  3. Microsoft. Microsoft 365 Business Premium pricing. microsoft.com
  4. Microsoft Security Blog. Microsoft Defender XDR demonstrates 100% detection coverage in 2024 MITRE ATT&CK Evaluation: Enterprise. 11 Dec 2024. microsoft.com/en-us/security/blog
  5. MITRE Engenuity. ATT&CK Evaluations Enterprise 2024. attackevals.mitre-engenuity.org
  6. Microsoft. Defender Experts for XDR. microsoft.com
  7. SentinelOne. 2024 MITRE ATT&CK Evaluation results. sentinelone.com
  8. Huntress. Managed EDR product page. huntress.com
  9. Huntress. Huntress expands Microsoft Defender collaboration. Jul 2025. huntress.com
  10. Huntress. Huntress named Microsoft Verified SMB Solution. Nov 2024. huntress.com
  11. CrowdStrike. Falcon Go for small business. crowdstrike.com
  12. r/msp. Do any of you use Microsoft Defender for Business. Aug 2022 (active comments through 2024). reddit.com/r/msp
  13. r/msp. Defender for Business: This is the way for clients <300 users. Nov 2021. reddit.com/r/msp
  14. r/sysadmin. Microsoft Defender for Business. Mar 2022. reddit.com/r/sysadmin
  15. G2. Microsoft Defender for Business reviews 2026. g2.com
  16. NinjaOne. How to Set Up Microsoft Defender for Business in MSP Environments. 31 Oct 2025. ninjaone.com
  17. MSPoweruser. Microsoft Defender for Business standalone $3 pricing announcement. mspoweruser.com
  18. Robert Crane / CIAOPS. Blog and posts on Defender for Business deployment. blog.ciaops.com




© 2026 — Research compiled May 9, 2026. Sources span August 2022 – October 2025.

Pricing and product details subject to change. Verify current figures at publish time.