Slide 15 of Microsoft Cybersecurity Reference Architectures

Comprehensive resource for understanding, implementing, and optimizing Microsoft Defender.

This field guide is meticulously curated to provide security professionals, system administrators, and IT enthusiasts with in-depth knowledge and practical insights to effectively secure their systems and networks using Microsoft Defender.

Pull requests are welcome.

• Microsoft Defender Field Guide
  • Modules and PowerShell
  • Defender for Endpoint
    • Deploy with Intune
    • Deploy with Configuration Manager
    • Integration with Other Microsoft 365 Services
  • Defender for Office 365
  • Defender for Cloud
  • Defender for Cloud Apps
  • Defender for Identity
  • Defender for Vulnerability Management
  • Microsoft 365 Defender

Security & Compliance, Exchange Online (EXO), and Exchange Online Protection (EOP) and others have PowerShell modules.

Install PowerShell modules.

Install-Module -Name Microsoft.Graph.DeviceManagement
Install-Module -Name AzureADPreview
Install-Module -Name ExchangeOnlineManagement
Install-Module -Name Microsoft.Online.SharePoint.PowerShell
Install-Module -Name MicrosoftTeams

Import module and connect to Entra ID tenant to access cmdlets.

Import-Module AzureADPreview
Connect-AzureAD

Connect to Security & Compliance PowerShell using Connect-IPPSSession from the ExchangeOnlineManagement module.

Connect-IPPSSession

The modules all have their respective connection cmdlets, Connect-MicrosoftTeams, Connect-SPOService, and Connect-ExchangeOnline.

Supported hardware and software has Defender for Endpoint (MDE) builtin, making the deployment phase to these devices easier. Older versions of Windows and Other devices require agents for provide data to MDE.

Minimum hardware requirements for MDE on Windows devices are the same as the requirements for the operating system (that is, they aren't in addition to the requirements for the operating system).

Create a new Group to target Users or Devices with an Endpoint detection and response (EDR) policy that turns on MDE.

$group = New-AzureADMSGroup -DisplayName "New MDE Group" -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"

Create an EDR policy device configuration.

$params = @{
  "@odata.type" = "#microsoft.graph.windowsDefenderAdvancedThreatProtectionConfiguration"
  description = "New EDR Policy"
  displayName = "New EDR Policy"
  version = 7
  allowSampleSharing = $true
  enableExpeditedTelemetryReporting = $true
}

$deviceConfiguration = New-MgDeviceManagementDeviceConfiguration -BodyParameter $params

Create device configuration assignment to security group.

$params = @{
  "@odata.type" = "#microsoft.graph.deviceConfigurationAssignment"
  target = @{
    "@odata.type" = "microsoft.graph.configurationManagerCollectionAssignmentTarget"
    collectionId = $group.Id
  }
}

New-MgDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $deviceConfiguration.Id -BodyParameter $params

Instructions to deploy with Configuration Manager.

MDE intergrates with Microsoft Intune, Defender for Office 365, and Defender for Cloud Apps.

Protect Office 365 users With message safety features like Anti-Spam, Anti-Phishing, Safe Links, Safe Attachments, and Safe Documents.

An umbra of Microsoft products and services that protect cloud assets. Defender for Key Vault, Defender for Servers, Defender for DNS, and others.

On-premise identity protection.

The single pane application that aggregate signals.