This chapter covers the Microsoft Defender Portal, the unified security operations center (SOC) experience in Microsoft 365 Defender. For the SC-900 exam, this is a core topic under domain 3.1 (Describe the security solutions in Microsoft 365) and typically appears in 5–10% of exam questions. You must understand the portal's purpose, key components (incidents, alerts, hunting, threat analytics), and how it integrates with other Microsoft security services. The exam will test your ability to identify the correct portal for a given scenario and explain how the portal helps security teams respond to threats.
Jump to a section
Imagine a major international airport with a single security control center that monitors all terminals, gates, baggage areas, and runways. The center has multiple screens showing live feeds from thousands of cameras, motion sensors, badge readers, and metal detectors. Each screen is a different "workload" — one shows passenger screening, another shows baggage handling, another shows perimeter intrusion. The security director can view all screens on one unified dashboard, drill into any incident, and trigger automated responses like locking down a gate or dispatching guards. This mirrors the Microsoft Defender Portal: it aggregates security signals from across Microsoft 365 Defender, Defender for Cloud, Defender for Endpoint, Defender for Identity, Defender for Office 365, and Defender for Cloud Apps into a single pane of glass. Just as the airport control center correlates badge swipes with camera footage to detect tailgating, the portal correlates email threats, endpoint alerts, identity anomalies, and cloud app risks to reveal multi-stage attacks. The portal's "Incidents" view is like the airport's incident commander board — it pulls related alerts into a single case, showing the full kill chain. The "Hunting" capability is like reviewing recorded footage to find a suspicious person who visited multiple terminals — you query across all data sources to find patterns. The portal also provides recommended actions, akin to the control center's standard operating procedures for each threat type.
What is the Microsoft Defender Portal?
The Microsoft Defender Portal (formerly Microsoft 365 Defender portal) is a unified web-based interface at security.microsoft.com that brings together threat protection capabilities from across the Microsoft security ecosystem. It serves as the primary operations hub for security teams to detect, investigate, and respond to threats across endpoints, identities, email, cloud apps, and data. The portal replaces separate portals for Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps, providing a single pane of glass.
Why it exists
Organizations using multiple Microsoft security products historically had to log into separate portals: securitycenter.windows.com for Defender for Endpoint, protection.office.com for Defender for Office 365, portal.cloudappsecurity.com for Defender for Cloud Apps, and portal.azure.com for Defender for Identity. This fragmented approach slowed incident response because analysts had to manually correlate alerts across consoles. The Microsoft Defender Portal solves this by aggregating alerts, incidents, and signals into one unified experience, enabling faster triage and response.
How it works internally
The portal uses a common data model and backend service called the Microsoft 365 Defender backend, which ingests signals from all M365 Defender components and the broader Microsoft security stack. When an alert fires in any component (e.g., Defender for Endpoint detects malware, Defender for Office 365 detects a phishing email), the backend correlates it with other related signals using machine learning and deterministic rules to form an incident. An incident is a collection of related alerts that together tell the story of an attack. The portal presents incidents in a queue with severity, status, and assigned owner.
Key components and values
Incidents & Alerts: The main landing page. Incidents are the primary unit of investigation. Each incident has a unique ID, severity (Informational, Low, Medium, High, Critical), status (New, In Progress, Resolved), and category (e.g., Malware, Phishing, Unauthorized access). Alerts are individual security events that belong to an incident. The portal automatically groups alerts into incidents based on entities (devices, users, mailboxes) and attack patterns.
Hunting: Advanced hunting is a query-based tool using Kusto Query Language (KQL) that allows analysts to search raw telemetry data across all M365 Defender components. Data is stored in tables such as EmailEvents, DeviceProcessEvents, IdentityLogonEvents, CloudAppEvents. Queries can be saved, shared, and scheduled.
Threat Analytics: This section provides curated threat intelligence reports from Microsoft's security researchers. Each report includes a description of the threat, its attack chain, detection details, and recommended actions. Reports are updated for active campaigns and vulnerabilities.
Action Center: Lists pending and completed remediation actions such as isolating a device, blocking a file, or deleting an email. Actions can be approved or rejected by analysts.
Secure Score: A measurement of an organization's security posture based on configuration settings. It provides recommendations to improve security.
Learning Hub: Provides guided walkthroughs and training for analysts.
Configuration and verification
The portal is enabled by default when any M365 Defender workload is licensed (E5, A5, or add-on licenses). To verify access, navigate to https://security.microsoft.com. The left navigation pane shows: Incidents & Alerts, Hunting, Threat Analytics, Secure Score, Learning Hub, and more. Administrators can configure role-based access control (RBAC) within the portal to grant specific permissions (e.g., Security Reader, Security Operator, Security Administrator).
How it interacts with related technologies
The Microsoft Defender Portal is the central hub but relies on data from: - Microsoft Defender for Endpoint: Endpoint detection and response (EDR) data, antivirus alerts. - Microsoft Defender for Office 365: Email and collaboration threats (phishing, malware, spam). - Microsoft Defender for Identity: Identity-based attacks (pass-the-hash, Kerberoasting, suspicious logins). - Microsoft Defender for Cloud Apps: Cloud app usage anomalies, shadow IT, OAuth app permissions. - Azure Active Directory (Azure AD): Identity signals and risk events. - Microsoft Sentinel: For organizations with SIEM, Sentinel can send alerts to the Defender Portal via connector.
The portal also supports integration with external tools via APIs for SOAR (Security Orchestration, Automation, and Response).
Incident lifecycle in the portal
Creation: An alert is generated by a Defender component. The backend correlates it with existing incidents or creates a new one.
Triage: Analysts review the incident queue, assign severity, and set status to 'In Progress'.
Investigation: Analysts use the incident graph to see related alerts, entities (devices, users, IPs), and evidence. They can use advanced hunting to find additional data.
Response: Analysts take actions via the Action Center (e.g., isolate device, soft-delete email, disable user).
Resolution: After investigation, the incident is resolved with a classification (True Positive, False Positive, Benign Positive) and a determination (e.g., Malware, Phishing, Unauthorized access).
Default values and timers
Alerts are retained for 30 days in the portal (for M365 Defender) but raw data in advanced hunting can be retained for 30 days (some tables up to 180 days depending on license).
Incidents are automatically closed after 7 days of inactivity if not manually resolved.
The Secure Score is recalculated daily.
Threat Analytics reports are updated as new intelligence is released.
Exam-critical details
The portal URL is security.microsoft.com (not securitycenter.windows.com or protection.office.com).
The portal is part of Microsoft 365 Defender, not a separate product.
Incidents are the primary focus for SOC teams; alerts are subordinate.
Advanced hunting uses KQL (Kusto Query Language).
Threat Analytics provides actionable intelligence from Microsoft researchers.
The portal supports RBAC via Azure AD roles and custom roles within the portal.
Common exam scenarios
The exam may present a scenario where an organization uses multiple Microsoft security products and asks which portal provides unified visibility. The answer is always the Microsoft Defender Portal. Another scenario might ask where to find information about a specific attack campaign — that's Threat Analytics. Or where to query raw telemetry data — that's Advanced Hunting.
Access the Defender Portal
Navigate to https://security.microsoft.com in a web browser. Sign in with an account that has appropriate permissions (Security Reader, Security Administrator, or custom role). The portal automatically loads the Incidents & Alerts page by default. If the user lacks a license for any Defender workload, some sections may be hidden. The portal uses Azure AD authentication and supports multi-factor authentication. After login, the dashboard shows a summary of active incidents, alerts, and Secure Score.
Review Incidents Queue
The Incidents page lists all incidents with columns: Incident ID, Severity, Status, Category, Last activity, and Assigned to. You can filter by severity (e.g., Critical, High), status (New, In Progress, Resolved), and time range. Clicking an incident name opens the incident details page. The incident graph visually shows the relationship between alerts, affected users, devices, and IPs. The Evidence and Response tab lists all evidence collected and actions taken.
Investigate an Incident
Within an incident, you can view each alert by clicking it. Each alert has a detailed timeline, affected entities, and detection source. Use the 'Go hunt' button to launch an advanced hunting query pre-populated with the incident's entities. The investigation uses KQL to query tables like DeviceProcessEvents, EmailEvents, IdentityLogonEvents. Results can be exported or used to create custom detection rules.
Take Remediation Actions
From the incident or alert page, select 'Actions' to initiate response actions. Available actions depend on the alert type and source. For endpoints: isolate device, run antivirus scan, block file. For email: soft-delete (move to Deleted Items), hard-delete (purge), block sender. For identity: disable user, reset password. Actions are sent to the Action Center for approval if configured. The Action Center shows pending actions that require approval by a security administrator.
Use Advanced Hunting
Navigate to 'Hunting' > 'Advanced hunting'. The query editor supports KQL. Start with a simple query like 'EmailEvents | take 10' to see sample email events. Use the schema reference on the right to explore available tables. Queries can be saved and shared with other analysts. The results can be viewed as a table or chart. The 'Actions' button allows you to create custom detection rules based on the query, which can trigger alerts when the pattern is detected.
Enterprise Scenario 1: Phishing Campaign Investigation
A large financial institution receives a wave of phishing emails targeting executives. The SOC team uses the Microsoft Defender Portal to investigate. They start by looking at the Incidents queue, where they see a high-severity incident named 'Email phishing campaign targeting VIPs'. Inside, they find alerts from Defender for Office 365 (phishing emails detected by anti-phishing policies) and Defender for Endpoint (a user clicked a link and downloaded a payload). The incident graph shows the affected users, the malicious sender, and the devices involved. The team uses Advanced Hunting to query EmailEvents for all emails from the malicious sender in the last 7 days, and IdentityLogonEvents to see if any compromised accounts attempted lateral movement. They take action by soft-deleting all malicious emails via the Action Center and isolating the affected endpoints. This unified workflow would have required switching between three separate consoles before the portal existed.
Enterprise Scenario 2: Insider Threat Detection
A manufacturing company suspects an employee is exfiltrating data to a personal cloud storage account. The portal alerts from Defender for Cloud Apps show unusual file uploads from the employee's device to an unsanctioned app. Concurrently, Defender for Identity detects a suspicious logon from an unfamiliar IP using the employee's credentials. The portal correlates these alerts into a single incident. The SOC analyst reviews the incident, sees the timeline of events, and uses the Activity Log to see exactly which files were uploaded. They then take action to revoke the user's session and disable the account. Without the portal, the correlation between cloud app activity and identity anomalies might have been missed.
Common Misconfigurations and Pitfalls
Licensing Gaps: If an organization has only Defender for Endpoint Plan 1, the portal may not show all features (e.g., advanced hunting is only in Plan 2). The exam may test that advanced hunting requires E5 or add-on licenses.
RBAC Over-restriction: Assigning only 'Security Reader' role prevents analysts from taking actions. They must have 'Security Operator' or 'Security Administrator' to perform remediation.
Data Retention Confusion: Raw telemetry in advanced hunting is retained for 30 days by default. For longer retention, organizations must export to Azure Data Lake or use Microsoft Sentinel. The exam may ask about default retention periods.
Ignoring Threat Analytics: During a major outbreak (e.g., Log4j), the Threat Analytics section provides specific detection rules and recommended actions. Analysts who skip this section may miss critical guidance.
What SC-900 Tests on This Topic
The SC-900 exam objective 3.1 includes 'Describe the capabilities of Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, and Microsoft 365 Defender.' The portal is the primary interface for Microsoft 365 Defender. Expect questions that ask:
Which portal provides unified incident management? (Answer: Microsoft Defender Portal at security.microsoft.com)
Where can you find threat intelligence reports? (Threat Analytics)
What language is used for advanced hunting? (KQL)
Which component provides email threat protection? (Defender for Office 365)
Common Wrong Answers and Why Candidates Choose Them
Wrong: 'Microsoft 365 security center' or 'Security & Compliance Center' – These are outdated names. The current portal is 'Microsoft Defender Portal' (or 'Microsoft 365 Defender portal'). Candidates who studied older material may choose these.
Wrong: 'Azure Security Center' or 'Microsoft Sentinel' – Azure Security Center (now Defender for Cloud) is for cloud infrastructure, not unified M365 threat protection. Sentinel is a SIEM, not the same as the Defender Portal. Candidates confuse cloud security with M365 security.
Wrong: 'Use the individual product portals for investigation' – The exam emphasizes that the Defender Portal unifies them. Choosing separate portals is incorrect.
Wrong: 'Incidents and alerts are the same thing' – Alerts are individual events; incidents are groups of related alerts. Candidates may think they are interchangeable.
Specific Numbers and Terms That Appear on the Exam
Portal URL: security.microsoft.com
Default data retention for advanced hunting: 30 days
Severity levels: Informational, Low, Medium, High, Critical
Incident statuses: New, In Progress, Resolved
Action Center: for approving remediation actions
Secure Score: posture measurement (0-100%)
Threat Analytics: reports from Microsoft researchers
Edge Cases and Exceptions
If an organization has only one Defender workload (e.g., only Defender for Office 365), the portal still works but only shows that workload's data.
Some features like advanced hunting require specific licenses (e.g., Defender for Endpoint Plan 2 or M365 E5). The exam may ask which license is required for a given capability.
The portal supports custom roles beyond Azure AD roles. Candidates should know that RBAC can be granular.
Incidents can be created automatically or manually. Manual incident creation is a feature for grouping related alerts that the system didn't correlate.
How to Eliminate Wrong Answers
If the question asks about 'unified security operations,' the answer must involve the Microsoft Defender Portal.
If the question mentions 'querying raw telemetry,' the answer is Advanced Hunting.
If the question mentions 'current threats and recommendations from Microsoft,' the answer is Threat Analytics.
If the question mentions 'taking remediation actions,' the answer is Action Center.
Eliminate any answer that says 'Azure Portal' or 'Azure Security Center' unless the question is specifically about cloud infrastructure (which is not M365).
The Microsoft Defender Portal is the central hub for all M365 Defender workloads, accessed at security.microsoft.com.
Incidents are groups of related alerts; alerts are individual security events.
Advanced hunting uses Kusto Query Language (KQL) to query raw telemetry across all Defender data sources.
Threat Analytics provides curated threat intelligence from Microsoft researchers, including attack chain details and recommended actions.
The Action Center manages pending and completed remediation actions like device isolation or email deletion.
Secure Score measures your security posture and provides recommendations for improvement.
Data retention for advanced hunting is 30 days by default (some tables longer with appropriate licenses).
RBAC for the portal can be configured using Azure AD roles (Security Reader, Operator, Administrator) or custom roles.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Defender Portal
Unified interface for M365 threat protection (endpoint, email, identity, cloud apps).
URL: security.microsoft.com.
Focuses on user, device, and data security within Microsoft 365.
Incidents and alerts are cross-product correlated.
Advanced hunting uses KQL against M365 data tables.
Azure Security Center (Defender for Cloud)
Unified interface for cloud workload protection (VMs, containers, databases).
URL: portal.azure.com (or dedicated Azure Defender portal).
Focuses on infrastructure security in Azure and hybrid environments.
Security alerts are per-resource, with security incidents for multi-resource attacks.
Uses Azure Monitor logs and KQL for cloud resource telemetry.
Mistake
The Microsoft Defender Portal is the same as the Azure Security Center.
Correct
The Microsoft Defender Portal (security.microsoft.com) is for Microsoft 365 threat protection, while Azure Security Center (now Defender for Cloud) is for cloud infrastructure security. They are separate portals with different purposes.
Mistake
You need to purchase Microsoft 365 Defender separately to access the portal.
Correct
Microsoft 365 Defender is not a separate product; it's the brand for the suite of Defender capabilities. The portal is included with any license that includes one or more Defender workloads (e.g., M365 E3 with Defender for Office 365 P1, or E5).
Mistake
Alerts and incidents are the same thing in the portal.
Correct
Alerts are individual security events (e.g., 'Malware detected on device X'), while incidents are groups of related alerts that together form a story of an attack. The portal automatically correlates alerts into incidents.
Mistake
Advanced hunting can be used without any additional license.
Correct
Advanced hunting requires a license that includes the necessary data sources. For example, Defender for Endpoint Plan 2 or Microsoft 365 E5 is required. Without these, the Advanced Hunting page may be unavailable or limited.
Mistake
The portal can only be accessed by global administrators.
Correct
Access is controlled via Azure AD roles (Security Reader, Security Operator, Security Administrator) or custom roles created within the portal. Global administrators have access but it is not required.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The Microsoft Defender Portal (security.microsoft.com) focuses on security operations: threat detection, investigation, and response. The Microsoft 365 compliance portal (compliance.microsoft.com) focuses on compliance management: data classification, retention, eDiscovery, and audit. They are separate but can be accessed from each other via links. For SC-900, know that the Defender Portal is for security, the compliance portal is for compliance.
Yes, Microsoft 365 Business Premium includes Defender for Office 365 Plan 1, Defender for Endpoint Plan 1, and other security features. The portal will be available but with limited capabilities compared to E5 (e.g., no advanced hunting, limited threat analytics). You will see incidents and alerts from the included workloads.
In Advanced Hunting, write a KQL query that detects a pattern. Click 'Create detection rule'. Give it a name, set severity, frequency, and action. The rule will run periodically and generate alerts when the query returns results. Custom detection rules are a key feature for proactive threat hunting.
Security Reader has read-only access to all security data (incidents, alerts, hunting results) but cannot take any actions. Security Operator can read data AND take remediation actions (e.g., isolate device, delete email). Security Administrator has full access including configuration changes. For the exam, remember that operators can act, readers cannot.
Incidents are retained for 180 days from the time of the last activity. After 180 days, they are automatically deleted. However, if an incident is resolved, it remains accessible until the retention period expires. Alerts within the incident are retained for the same period. This is important for audit and forensic purposes.
Yes, Microsoft Sentinel can be integrated via the 'Microsoft 365 Defender connector'. This connector ingests incidents and alerts from the Defender Portal into Sentinel, allowing for advanced correlation, automation (playbooks), and long-term retention. The exam may test that Sentinel is the SIEM, while the Defender Portal is the SOC hub.
The Learning Hub provides interactive tutorials, guided walkthroughs, and training modules for security analysts. It covers topics like incident investigation, advanced hunting, and threat analytics. It is designed to help new analysts get familiar with the portal. For the exam, know it exists as a training resource.
You've just covered Microsoft Defender Portal Overview — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?