This chapter provides a comprehensive overview of the Microsoft 365 Defender portal, the unified security operations platform that correlates signals across Microsoft's security products. For SC-900, understanding the architecture, key capabilities, and integration points of this portal is critical, as approximately 15-20% of exam questions in the 'Security Solutions' domain (Objective 3.3) cover this topic. You will learn exactly what the portal does, how it correlates alerts into incidents, and how it enables automated investigation and response across endpoints, email, identities, and cloud apps.
Jump to a section
Imagine a large corporate headquarters with multiple separate security teams: one team monitors the front door (email), another watches the parking lot (endpoints), a third patrols the hallways (identities), and a fourth guards the server room (cloud apps). Each team has its own radio channel, logbook, and alert system. When the front door team spots a suspicious package, they radio their own team, note it in their log, and maybe call the parking lot team if they think it's relevant—but often the call never comes because the package didn't set off any parking lot sensors. Meanwhile, the hallway team might notice the same suspect loitering near the server room, but they have no way to correlate that with the package at the front door. The result: missed attacks, delayed responses, and duplicate investigations. Now replace that fragmented setup with a single, unified operations center. All teams now use the same radio frequency, the same digital incident board, and the same shared logbook. When the front door team flags a suspicious email attachment, the operations center automatically checks if that same attachment was seen on any endpoint, if the sender's identity has been compromised, and if any cloud app activity matches the pattern. A single alert is created, not four separate ones. The operations center correlates signals across all domains, automates the initial investigation, and presents one unified incident timeline to the analyst. That unified operations center is exactly what the Microsoft 365 Defender portal provides: a single pane of glass that ingests signals from Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, and Microsoft Sentinel, correlates them using advanced analytics, and surfaces coordinated incidents with automated response playbooks.
What Is the Microsoft 365 Defender Portal?
The Microsoft 365 Defender portal (formerly known as the Microsoft 365 security center) is a unified web-based interface at https://security.microsoft.com that aggregates security signals from multiple Microsoft security products into a single dashboard. It is designed to give security operations teams (SOC) a consolidated view of threats across the entire Microsoft 365 ecosystem, including endpoints, email and collaboration, identities, and cloud applications. The portal is the central hub for incident response, threat hunting, and security posture management in the Microsoft 365 Defender suite.
Why It Exists
Before Microsoft 365 Defender, organizations had to manage separate consoles for each security product: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and later Microsoft Sentinel. Each console had its own alerts, investigation tools, and response capabilities. This siloed approach led to alert fatigue, missed correlations, and slower response times. The Microsoft 365 Defender portal solves this by ingesting signals from all these products, correlating related alerts into a single incident, and providing a unified investigation and response experience. It also leverages AI and automation to reduce the manual work of triaging and investigating threats.
How It Works Internally — Step Through the Mechanism
The Microsoft 365 Defender portal operates on a signal ingestion and correlation pipeline. Here is the step-by-step mechanism:
Signal Ingestion: Each Microsoft security product generates alerts based on its own detection logic. For example, Microsoft Defender for Endpoint detects malware on a device, Microsoft Defender for Office 365 detects a phishing email, Microsoft Defender for Identity detects a suspicious login, and Microsoft Defender for Cloud Apps detects an anomalous file download. These alerts are sent to the Microsoft 365 Defender backend in near real-time.
2. Correlation Engine: The Microsoft 365 Defender correlation engine uses machine learning and rule-based logic to link alerts that are part of the same attack chain. It considers attributes like: - Entities: Users, devices, IP addresses, email messages, files, etc. - Timing: Alerts occurring within a short time window (default 48 hours) are more likely to be related. - Attack patterns: Known tactics, techniques, and procedures (TTPs) from the MITRE ATT&CK framework. - Common indicators: Same malicious file hash, same phishing URL, same attacker IP.
Incident Creation: When the correlation engine determines that multiple alerts are related, it creates a single incident. An incident is a collection of related alerts that together describe a complete attack story. Each incident has a severity level (Informational, Low, Medium, High, Critical) and a status (New, In Progress, Resolved). The incident includes a timeline of all activities, affected entities, and recommended actions.
Automated Investigation and Response (AIR): For incidents that meet certain criteria (e.g., high severity, specific attack types), the portal can automatically trigger playbooks that investigate the incident and take remediation actions. For example, if a device is found to be infected with a specific malware variant, AIR might automatically isolate the device from the network, block the malicious file, and notify the user. These playbooks are built into the Microsoft 365 Defender portal and can be customized.
5. Unified Investigation Experience: When a security analyst opens an incident in the portal, they see a single view that includes: - Incident graph: A visual representation of the attack chain showing how alerts are connected. - Alerts tab: All individual alerts that are part of the incident, with details from each source product. - Assets tab: Affected users, devices, mailboxes, and cloud app instances. - Evidence and response tab: A list of all evidence (e.g., quarantined files, blocked IPs) and actions taken automatically or manually. - Timeline: A chronological list of all events related to the incident.
Key Components, Values, Defaults, and Timers
Incident Severity Levels: Informational (1), Low (2), Medium (3), High (4), Critical (5). The severity is determined by the highest severity alert in the incident.
Incident Status: New, In Progress, Resolved. Resolved incidents can have a classification (True Positive, False Positive, Benign Positive) and a determination (Malware, Phishing, Unwanted Software, etc.).
Alert Correlation Time Window: By default, alerts that occur within 48 hours of each other and share common entities are candidates for correlation. This window can be adjusted via the portal settings.
Automated Investigation and Response (AIR): AIR is enabled by default for all Microsoft 365 Defender customers. It can be configured to automatically take remediation actions (e.g., isolate device, block file) or only recommend actions for manual approval.
Threat Analytics: A feature within the portal that provides threat intelligence reports from Microsoft researchers. It includes active threats, attack vectors, and recommended mitigations.
Hunting: The portal includes advanced hunting capabilities using Kusto Query Language (KQL) to query raw data from all integrated products. Data retention for advanced hunting is 30 days by default.
Secure Score: A measurement of an organization's security posture based on configuration best practices. It is calculated from recommendations across Microsoft 365 and Azure.
Configuration and Verification Commands
While the Microsoft 365 Defender portal is primarily a GUI-based interface, some configurations can be managed via PowerShell or Microsoft Graph API. For example, to list incidents via the Graph API:
GET https://api.security.microsoft.com/api/incidentsTo retrieve a specific incident:
GET https://api.security.microsoft.com/api/incidents/{incidentId}To update an incident status:
PATCH https://api.security.microsoft.com/api/incidents/{incidentId}
{
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware"
}PowerShell module for Microsoft 365 Defender (preview):
Install-Module -Name MicrosoftGraph -Force
Connect-MgGraph -Scopes "SecurityIncident.ReadWrite.All"
Get-MgSecurityIncident -Top 10How It Interacts with Related Technologies
Microsoft 365 Defender Products: The portal integrates directly with Defender for Endpoint, Office 365, Identity, and Cloud Apps. Each product sends alerts to the portal, and the portal can trigger responses in those products (e.g., isolating a device in Defender for Endpoint).
Microsoft Sentinel: Sentinel can ingest incidents from Microsoft 365 Defender via the Microsoft 365 Defender connector. This allows Sentinel to provide additional SIEM capabilities, such as longer data retention, custom analytics rules, and integration with third-party security products.
Azure Active Directory (Azure AD): Identity signals from Azure AD Identity Protection (e.g., risky sign-ins) are also correlated in the portal as part of Defender for Identity.
Microsoft Intune: Device compliance and management data from Intune can be used to inform incident response actions, such as requiring a device to be compliant before allowing access.
Microsoft Purview Compliance Portal: While the security portal focuses on threats, the compliance portal handles data governance and compliance. They are separate but can be accessed from the same navigation menu.
Exam-Relevant Details
The Microsoft 365 Defender portal is accessed at https://security.microsoft.com.
It is not a SIEM; it is an XDR (Extended Detection and Response) platform. SIEM capabilities are provided by Microsoft Sentinel.
The portal provides unified incident management, advanced hunting, threat analytics, and secure score.
Automated Investigation and Response (AIR) is a key differentiator from traditional security consoles.
The portal does not replace individual product consoles entirely; those consoles still exist for deep product-specific configurations (e.g., Defender for Endpoint's advanced features).
Licensing: Microsoft 365 Defender is included in Microsoft 365 E5, Microsoft 365 E5 Security, or as a standalone add-on. Without E5, some features may be limited.
Trap Patterns and Exam Tips
Trap: Candidates often think the portal replaces all individual security consoles. Reality: The individual consoles still exist for advanced settings; the portal is the unified investigation and response interface.
Trap: Candidates confuse the portal with Microsoft Sentinel. Remember: Sentinel is a SIEM that can ingest from Defender, but the Defender portal is XDR.
Trap: The portal is not just a dashboard; it includes active response capabilities via AIR.
Trap: The portal does not manage compliance; that is the Microsoft Purview compliance portal.
Summary
The Microsoft 365 Defender portal is the central hub for security operations in Microsoft 365. It correlates alerts from multiple Defender products into incidents, enables automated investigation and response, and provides advanced hunting and threat intelligence. For SC-900, focus on understanding its role as an XDR platform, its integration points, and its key features like incidents, AIR, and secure score.
Signals Ingested from Defender Products
Each Microsoft Defender product (Endpoint, Office 365, Identity, Cloud Apps) continuously monitors its domain and generates alerts when suspicious activity is detected. For example, Microsoft Defender for Endpoint uses behavioral sensors, cloud-based analytics, and threat intelligence to detect malware, exploits, and suspicious behaviors on endpoints. These alerts contain rich metadata: affected device ID, user ID, file hash, process name, timestamp, severity, and MITRE ATT&CK technique IDs. The alerts are sent to the Microsoft 365 Defender backend via secure API calls in near real-time (typically within seconds). The backend stores these alerts in a unified data lake for correlation and analysis.
Correlation Engine Links Related Alerts
The correlation engine in Microsoft 365 Defender runs continuously, analyzing incoming alerts against existing alerts and historical data. It uses a combination of deterministic rules (e.g., same file hash, same user, same IP address) and machine learning models to identify alert relationships. The default correlation window is 48 hours; alerts that share common entities and occur within this window are grouped. For example, a phishing email alert from Defender for Office 365 that delivered a malware attachment, followed by a malware detection alert from Defender for Endpoint on the same user's device, will be correlated. The engine assigns a confidence score to each correlation, and if the score exceeds a threshold, a new incident is created or an existing incident is updated.
Incident Created with Full Context
When a correlation is confirmed, the system creates a new incident object in the portal. The incident is assigned a unique ID, a severity level (based on the highest severity alert in the group), and a status of 'New'. The incident aggregates all related alerts, affected assets (users, devices, mailboxes, cloud apps), and a timeline of events. The portal also generates an incident graph that visually maps the attack chain, showing how each alert connects to the next. For example, an incident might show that a user received a phishing email (alert from Office 365), clicked a link that downloaded malware (alert from Endpoint), and then the attacker used stolen credentials to access a cloud app (alert from Cloud Apps). The incident becomes the single source of truth for the investigation.
Automated Investigation and Response (AIR) Launched
For incidents that meet certain criteria (e.g., severity High or Critical, or specific attack types like ransomware), the portal automatically triggers AIR playbooks. These playbooks are built-in automation workflows that perform initial investigation steps: they check whether the affected device is still active, look for related alerts in other products, scan for additional indicators of compromise, and gather forensic evidence. Based on the findings, AIR may take automatic remediation actions such as isolating a device from the network, blocking a malicious file, disabling a user account, or resetting a password. These actions are logged in the incident's 'Evidence and Response' tab. Administrators can configure AIR to require manual approval for critical actions or to run fully automated.
Analyst Investigates and Resolves Incident
The security analyst reviews the incident in the portal, using the unified view to understand the full scope. The analyst can drill into each alert, examine the affected assets, and use advanced hunting to query raw data for additional clues. The incident graph helps visualize the attack path. The analyst can also see the actions taken by AIR and decide whether to approve, reject, or supplement them. Once the investigation is complete, the analyst classifies the incident (True Positive, False Positive, Benign Positive) and assigns a determination (e.g., Malware, Phishing, Unwanted Software). The incident status is changed to 'Resolved', and the system may automatically close related alerts. This step ensures that the incident is properly documented and that lessons learned can be applied to future detections.
Enterprise Scenario 1: Multistage Phishing Attack
A large financial services company with 10,000 employees uses Microsoft 365 E5, including all Defender products. An attacker sends a spear-phishing email to a finance executive. The email bypasses the initial spam filter but is flagged by Defender for Office 365 as a phishing attempt with low severity (due to a new domain). The executive clicks the link and downloads a malicious macro-enabled document. Defender for Endpoint detects the macro execution and blocks the process, but a command-and-control connection is established. The correlation engine in Microsoft 365 Defender links the phishing alert (Office 365) with the malware alert (Endpoint) and a subsequent suspicious login from an unusual location (Defender for Identity). An incident is created with Critical severity. AIR automatically isolates the executive's device and disables the compromised account. The SOC analyst reviews the incident, confirms the attack, and initiates password reset for the executive and other potentially affected users. The incident is resolved within 30 minutes, whereas without the unified portal, it could have taken hours to correlate the alerts manually across separate consoles.
Enterprise Scenario 2: Insider Data Exfiltration
A technology company uses Microsoft 365 Defender for Cloud Apps to monitor cloud app usage. An employee starts downloading large volumes of confidential files from SharePoint to a personal device. Defender for Cloud Apps generates an alert for anomalous download activity. Simultaneously, Defender for Identity detects that the employee's account is being used from an unusual IP address (a VPN). The correlation engine links these alerts into an incident. Since the activity is not malicious per se (the employee is authorized to access the files), the incident severity is Medium. AIR does not automatically block the account (to avoid false positives), but it recommends investigation. The SOC analyst reviews the incident, sees the correlation, and initiates a conversation with the employee's manager. It turns out the employee is leaving the company and was exfiltrating data for a competitor. The analyst then triggers a manual response to block the user's access and revoke permissions. The unified portal allowed the SOC to detect the exfiltration early and prevent data loss.
Common Misconfigurations and Pitfalls
Licensing Gaps: Organizations may have E3 licenses but try to use advanced features like AIR, which requires E5. This leads to partial functionality.
Not Enabling Integration: Some products (e.g., Defender for Identity) require explicit configuration to send alerts to the portal. Without this, correlation fails.
Over-reliance on Automation: Some SOCs set AIR to fully automatic without manual approval, leading to unintended disruptions (e.g., isolating a CEO's device during a false positive).
Ignoring Secure Score: Many organizations do not regularly review Secure Score recommendations, missing opportunities to improve their security posture and reduce attack surface.
Performance and Scale Considerations
The portal is designed to handle millions of alerts per day for large enterprises. Microsoft's backend scales automatically. However, advanced hunting queries can be resource-intensive; Microsoft recommends using targeted queries and avoiding broad scans during peak hours. Data retention for raw signals is 30 days, but incidents are retained for up to 180 days (or longer with Sentinel integration).
Exactly What SC-900 Tests on This Topic
The SC-900 exam objective 3.3 ("Describe the capabilities of Microsoft 365 Defender") expects you to understand the following:
The purpose of the Microsoft 365 Defender portal as a unified security operations platform.
The key features: Incidents, Alert correlation, Automated Investigation and Response (AIR), Advanced Hunting, Threat Analytics, Secure Score.
The integration with Microsoft 365 Defender products: Defender for Endpoint, Office 365, Identity, Cloud Apps.
The difference between the Defender portal (XDR) and Microsoft Sentinel (SIEM).
The licensing requirements: Microsoft 365 E5 or E5 Security.
Most Common Wrong Answers and Why Candidates Choose Them
"The portal replaces individual Defender consoles." Wrong because each product still has its own console for deep configuration; the portal is for unified investigation and response.
"The portal is a SIEM." Wrong because SIEM capabilities are provided by Microsoft Sentinel; the portal is an XDR platform.
"The portal is used for compliance management." Wrong because compliance is handled by the Microsoft Purview compliance portal.
"All Microsoft 365 licenses include the full portal capabilities." Wrong because advanced features like AIR and advanced hunting require E5 licenses.
Specific Numbers, Values, and Terms That Appear on the Exam
URL: https://security.microsoft.com
Incident correlation window: 48 hours (default)
Severity levels: Informational, Low, Medium, High, Critical
Incident statuses: New, In Progress, Resolved
AIR: Automated Investigation and Response
Secure Score: A measurement of security posture (0-100%)
Advanced hunting: Uses Kusto Query Language (KQL)
Data retention for advanced hunting: 30 days
Edge Cases and Exceptions the Exam Loves
What if an organization has E3 licenses? They can access the portal but with limited features (e.g., no AIR, limited hunting).
Can the portal correlate alerts from third-party products? No, only Microsoft security products. For third-party integration, use Microsoft Sentinel.
Does the portal work without any Defender product enabled? No, it requires at least one Defender product to be active.
How to Eliminate Wrong Answers Using the Underlying Mechanism
When you see a question about the portal, ask yourself: "Is this about unified investigation and response across Microsoft security products?" If yes, it's the portal. If it's about long-term data storage, custom analytics, or third-party integration, it's Sentinel. If it's about compliance policies, it's Purview. The portal's core mechanism is correlation of alerts into incidents and automated response. Use that to eliminate answers that describe other services.
Microsoft 365 Defender portal is an XDR platform at https://security.microsoft.com.
It correlates alerts from Defender for Endpoint, Office 365, Identity, and Cloud Apps into incidents.
Incidents have severity levels (Informational to Critical) and statuses (New, In Progress, Resolved).
Automated Investigation and Response (AIR) can automatically remediate threats.
Advanced hunting uses Kusto Query Language (KQL) with 30-day data retention.
Secure Score measures security posture based on configuration recommendations.
The portal does not replace individual product consoles; those exist for advanced settings.
Full functionality requires Microsoft 365 E5 or E5 Security license.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft 365 Defender Portal (XDR)
Unified incident management for Microsoft security products only
Automated Investigation and Response (AIR) built-in
Default data retention of 30 days for advanced hunting
Accessible at https://security.microsoft.com
Included with Microsoft 365 E5 license
Microsoft Sentinel (SIEM)
SIEM and SOAR for any security product (third-party included)
Custom analytics rules and playbooks via Logic Apps
Data retention configurable up to 2 years (or more with hot/cold tiers)
Accessible at https://portal.azure.com
Separate licensing (pay-as-you-go or reserved capacity)
Mistake
The Microsoft 365 Defender portal is just a dashboard that shows alerts from different products.
Correct
It is much more than a dashboard. It actively correlates alerts into incidents, launches automated investigation and response playbooks, and provides advanced hunting capabilities. It is an XDR platform, not just a visualization tool.
Mistake
You need the Microsoft 365 Defender portal to use any of the Defender products.
Correct
Each Defender product (Endpoint, Office 365, Identity, Cloud Apps) has its own console and can be used independently. The portal adds value by unifying alerts and enabling cross-product correlation, but it is not mandatory for individual product functionality.
Mistake
The portal replaces Microsoft Sentinel for all security operations.
Correct
Sentinel is a SIEM that provides long-term data retention, custom analytics rules, and integration with third-party sources. The portal is an XDR for Microsoft security products. They complement each other; many organizations use both, with the portal as the primary XDR and Sentinel as the enterprise SIEM.
Mistake
All features in the portal are available with any Microsoft 365 license.
Correct
Advanced features like Automated Investigation and Response, advanced hunting, and threat analytics require Microsoft 365 E5 or E5 Security licenses. Basic incident viewing may be available with E3, but full functionality requires E5.
Mistake
The portal can correlate alerts from any security product, including third-party tools.
Correct
The portal only correlates alerts from Microsoft security products: Defender for Endpoint, Office 365, Identity, Cloud Apps, and Azure AD Identity Protection. For third-party integration, you must use Microsoft Sentinel.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The Microsoft 365 Defender portal is an XDR (Extended Detection and Response) platform that correlates alerts from Microsoft security products only. It provides unified incident management, automated investigation and response, and advanced hunting for Microsoft 365 environments. Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) that can ingest data from any source, including third-party products, and provides custom analytics, long-term data retention, and orchestration via Logic Apps. In short, Defender portal is for Microsoft-specific XDR; Sentinel is for enterprise-wide SIEM. Many organizations use both, with Defender portal as the primary XDR and Sentinel as the central SIEM.
The portal itself is included with Microsoft 365 E5, Microsoft 365 E5 Security, or as a standalone add-on. However, the individual Defender products (Endpoint, Office 365, Identity, Cloud Apps) each require their own licenses. Without E5, you may have access to a limited version of the portal with basic incident viewing but without advanced features like AIR or advanced hunting. For SC-990, remember that full functionality requires E5 licensing.
No, compliance policies (e.g., data loss prevention, eDiscovery, retention labels) are managed in the Microsoft Purview compliance portal at https://compliance.microsoft.com. The Microsoft 365 Defender portal is focused on security threats and incidents. The two portals are separate but can be accessed from the same navigation menu in the Microsoft 365 admin center.
When the correlation engine links related alerts, an incident is created with a unique ID, severity, and status. The incident aggregates all alerts, affected assets, and a timeline. If AIR is enabled, it may automatically start investigating and taking remediation actions. Security analysts can then review, investigate using advanced hunting, and resolve the incident with classification and determination.
Incidents and alerts are retained for 180 days in the portal. Raw data for advanced hunting is retained for 30 days. If you need longer retention, you can integrate with Microsoft Sentinel, which allows you to retain data for up to 2 years (or more with hot/cold tiers).
Secure Score is a measurement of an organization's security posture based on configuration best practices across Microsoft 365 and Azure. It is displayed as a percentage (0-100%) and includes recommendations to improve security. Each recommendation has a point value, and completing it increases your score. Secure Score helps organizations prioritize security improvements and track progress over time.
Yes, but customization is limited within the portal itself. You can configure the automation level (full automatic, semi-automatic with manual approval, or manual only). For more advanced customization, you can use Microsoft Sentinel's SOAR capabilities with Logic Apps to create custom playbooks that integrate with the Defender portal via the API.
You've just covered Microsoft 365 Defender Portal Overview — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?