Skip to content

Defender

Defender can be accessed from the Defender Portal and contains most of the "Defender for..." tools including:

  • Defender for Endpoint (MDE)
    • EDR for devices, if deployed on Windows it works with the Defender Antivirus service
  • Defender for Identity (MDI)
    • Identity protection for your on-premises AD environment
  • Defender for Office 365 (MDO)
    • Email protections
  • Defender for Cloud Apps (MDCA)
    • Cloud app usage reporting and alerting

Together they form Defender XDR, a single source of incidents for your Microsoft products and their alerts when configured correctly. Depending on licensing and region it is possible to also include alerts from Entra ID Identity Protection, Defender for Cloud (MDC), and Microsoft Sentinel.

Opinion

While each tool in Defender has various implementation difficulties and challenges I would not categorize one as "easier" than the other to start with. It is possible for a dedicated individual to deploy and configure a lot of these tools in a week, but there are things that take time. An example deployment might look like this but always consider your requirements and environment.

  1. Deploy items that take time
    1. MDE to workstations
    2. If you have AD run the MDI sizing tool as it takes 24 hours
  2. Deploy items that gather information
    1. ASR rules in audit to your onboarding workstations
    2. Enable the MDCA connection within MDE
    3. Connect Microsoft apps to MDCA
  3. Create some pilot policies in MDO
    1. You can start with maybe some IT and "Power" users, and later add more users until you are comfortable with your advanced email security
  4. Configure settings, deploy MDI sensors, and use Secure Score to find new items to work on in the future

If you are starting a new environment, perhaps moving from another product and Microsoft is new I would suggest hardening as much as you can before users get more active in your Microsoft environment. Don't be so aggressive you're making things difficult for your users, but the more you configure day 1 the less you have to plan, evaluate, and communicate changes to your users. I believe in communication but if your environment is wide open you will likely have a battle between handling incidents, getting approval, setting up communications, and testing until one day you have a major incident and the setting finally gets the attention you need to implement it.