Microsoft Defender Features and Licensing | Part 1
Microsoft Defender (and Microsoft 365 Defender) includes a range of services to mitigate risk and protect against threats throughout a customer’s environment.
They are suites of products and services designed to protect organisations at any endpoint — an endpoint being any item within an infrastructure (virtual or physical) that directly or indirectly interacts with another item, internally or externally.
So, for example, a user accessing resources using a device that joins to an on-premises network or a Microsoft cloud-delivered service (email, files services, database business applications etc) or an AWS or Google Cloud-hosted resource is connecting to multiple endpoints throughout.
A principle key factor, irrespective of deployment, is that Microsoft Defender and Microsoft 365 Defender is wholly reliant upon internet connectivity for full coverage, management and administration capabilities.
In today’s connected world, it is perhaps the exception for endpoints or services to not have internet connectivity — this needs to be considered when establishing the business case for functional and operational suitability.
As suites of enterprise defence products, there are also interdependencies with products and services that sit outside of the collective which need to be considered for the purposes of licensing a complete security solution. Entra ID (Azure AD), Azure Information (AIP) and Intune, for example.
Across the range of end user suites (Microsoft 365 F3, F5, E3, E5 etc) a level of Defender entitlement is included; products within the Defender suite can also be separately provisioned (ie billed) and licensed, based on the deployment scenario: end user, on-premises or cloud.
Before getting into the detail of licensing the suite and the products contained within, first, it is important to understand what Microsoft Defender does and then how to license, based on needs and use.
So, what is Microsoft 365 Defender?
‘Microsoft 365 Defender is a unified pre- and post-breach enterprise defence suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email and applications to provide integrated protection against sophisticated attacks.’
Microsoft 365 Defender March 2023
Firstly, the end user/client device protection is available through:
Microsoft Defender for Endpoint
This product has two options; Plan 1 and Plan 2. It is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate and respond to advanced threats.
· Microsoft Defender for Endpoint Plan 1
This includes next-generation protection (contains antimalware and antivirus):
- Attack surface reduction
- Manual response actions
- Centralised management
- Security reports
- APIs
- Support for Windows 10, Windows 11, iOS, Android OS, and macOS devices
· Microsoft Defender for Endpoint Plan 2:
This includes all the above Plan 1 features and:
- Device discovery and inventory
- Core Defender Vulnerability Management capabilities
- Threat Analytics
- Automated investigation and response
- Advanced hunting
- Endpoint detection and response and Attack Notifications
- Support for Windows (client only) and non-Windows platforms (macOS, iOS, Android, and Linux)
In addition to Plan 2 is an add-on subscription:
· Microsoft Defender Vulnerability Management capabilities for Defender for Endpoint Plan 2:
- Security baselines assessment
- Block vulnerable applications
- Browser extensions
- Digital certificate assessment
- Network share analysis
- Hardware and firmware assessment
- Authenticated scan for Windows
- Support for Windows (client and server) and non-Windows platforms (macOS, iOS, Android, and Linux)
Microsoft Defender for Office 365
This is a protection suite for end user/client devices, within which are 3 component parts:
1. Exchange Online Protection (EOP)
Designed to prevent broad, volume-based, known attacks.
· It is included with all Exchange Online subscriptions, whether standalone or as part of a suite (ie Exchange Online Plan 1, Office 365 E1 through to Microsoft 365 E5).
· It is also available as a standalone product for on-premises Exchange mailboxes.
2. Microsoft Defender for Office 365 Plan 1
Designed to protect email and collaboration from zero-day malware, phish, and business email compromise.
Configuration, protection, and detection capabilities:
· Safe Attachments and Links in Exchange Online
· Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
· Anti-phishing protection in Defender for Office 365
· Real-time detections
3. Microsoft Defender for Office 365 Plan 2
Designed to add post-breach investigation, hunting, and response, as well as automation and simulation (for training).
It includes all of Plan 1 and:
Automation, investigation, remediation, and education capabilities:
· Threat Trackers and Explorer
· Automated investigation and response
· Attack simulation training
· Proactively hunt for threats with advanced hunting in Microsoft 365 Defender
· Investigate incidents and alerts in Microsoft 365 Defender
Secondly are the Microsoft 365 Defender infrastructure products:
This includes, as mentioned above, the interoperability with products that sit outside of the Defender suites, namely:
· Active Directory (AD) and Entra ID (previously Azure Active Directory)
· The protection overlay for AD and Entra ID is Microsoft Defender for Identity and is available as a standalone subscription or as part of Microsoft Enterprise Mobility + Security (EMS) E5 suite/Microsoft 365 E5.
It is cloud-based but uses on-premises AD and Entra ID signals to identify, detect and investigate advanced threats, compromised identities and malicious insider actions directed at an organisation.
Microsoft Defender products for Server infrastructure
To categorise Microsoft Defender, in terms of positioning for deployment purposes, there is a cross-over whereby the same products can be used both on-premises and in the Cloud, and this includes Azure, AWS and Google Cloud Platform (GCP).
Within the Microsoft Infrastructure are on-premises and cloud deployments.
For both on-premises and Azure, a collection of the same Microsoft Defender products can be provisioned as standalone products.
In Azure (AWS & GCP) these are also standalone products but have a friendly collective name: ‘Defender for Cloud Infrastructure’
- Microsoft Defender for Servers
- Microsoft Defender for Containers
- Microsoft Defender for Database Servers
- Microsoft Defender for DevOps
For Microsoft 365 there is a also a cloud-collective friendly name of ‘Microsoft 365 Defender Infrastructure’ which includes the standalone products:
- Microsoft Defender for Endpoint (described above)
- Microsoft Defender for Identity (described above)
- Microsoft Defender for Office 365 (described above)
- Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps is designed to provide a comprehensive picture of the security and protection risks associated with Software as a Service (SaaS) apps, usage and resources deployed within an organisation by helping to monitor and protect cloud app data.
There are also subsets of Defender for Cloud Apps:
- Microsoft Defender for Cloud Apps Discovery is included at no additional charge within Entra ID Plan 1, Enterprise Mobility + Security E3 suite and Microsoft 365 E3.
This essentially provides the information and insights as to the current state of cloud apps but without the extended functionality to natively address identified issues or risks.
- Office 365 Cloud Apps Security is part of Office 365 E5 and is limited to the product offerings within the Office 365 E5 suite.
The full ‘doing’ functionality is part of the full Microsoft Defender for Cloud Apps subscription as a standalone offering or part of EMS E5 and Microsoft 365 E5.
Summary
The Microsoft 365 Defender product offerings for end user / client devices provides organisations to both compliment exisiting, 3rd party services that protect against viruses, malware, and external threats to identity, resources and data and the opportunity to assess and review the opportunity to potentially displace and remove 3rd party products and replace with Microsoft 365 Defender.
This is dependent on business need and objectives, but Microsoft 365 Defender, as an expanding portfolio of products and services, is worth exploring as a viable platform for end user / client device security and protection platform.
In part 2, I’ll move from applications to infrastructure and offer an overview of Microsoft Defender for Servers, Containers, Database Servers, DevOps and Microsoft Defender as a multi-cloud offering.
Version 1’s licensing experts can help you plan and build the most appropriate and least-cost licensing solution to meet the needs of your business. Visit our website for more information and to contact us with any questions.
About the Author:
William Nelson is a Sales Specialist as part of the SAM & License Management Practice at Version 1.
