As part of ongoing efforts to make all experiences and features from Microsoft Defender for Identity available in Microsoft 365 Defender, the product group took the opportunity to not just lift and shift the exclusion configuration page, but to revamp the experience and make some new functionality available for security teams. This announcement confirms that these features are now available in public preview and will be made generally available soon.
So first of all, the new home for the exclusion settings can be found in the Settings area of Microsoft 365 Defender, under the Identities section:
Figure 1 - A screenshot of the Microsoft 365 Defender settings screen, highlighting the Identities section
And then you'll see Excluded entities on the left-hand menu:
Figure 2 - A screenshot of the Microsoft Defender for Identity settings area, with the Excluded entities section highlighted
Under Excluded entities are two separate options. One for Exclusions by detection rule which you will be familiar with if you've played about with exclusions in Defender for Identity before. Any of the current exclusions you have set up in the Defender for Identity portal will automatically be ported across to this area:
Figure 3 - An overview of any per-detection exclusions in the excluded entities area
You'll also see Global excluded entities, which is a new feature being introduced as part of this rollout. Global exclusions allow you to define certain entities (IP addresses, subnets, devices, or domains) to be excluded across all of the detections Defender for Identity has. So for example, if you exclude a device, it will only apply to those detections that have device identification as part of the detection.
In both of these sections, you'll find a helpful search bar at the top of the screen. This quality of life improvement will help you quickly locate any particular detection that you're looking for.
Figure 4 - A new search function at the top of each of the exclusion tables
Please check out the features for yourself in Microsoft 365 Defender (security.microsoft.com), and as always, we'd love your feedback on these changes. Please leave a comment here, and we'll strive to get back to you as quickly as possible.