Microsoft 365 Defender integration with Azure Sentinel

Copper Contributor


I understand that this feature is currently in preview, integrating the entire Defender 365 Suite into Sentinel and supporting bi-directionally sync.

Prior to this, my understanding was to route all the alerts via MCAS to avoid duplicate ID issues for example with Defender for Identity: 


If both your services (Defender for Identity and Cloud App Security) are currently configured to send alert notifications to a SIEM, after enabling Defender for Identity integration in Cloud App Security, you'll start to receive duplicate SIEM notifications for the same alert. One alert will be issued from each service and they'll have different alert IDs. To avoid duplication and confusion, decide where you intend to perform alert management, and then stop SIEM notifications being sent from the other service.


Another benefit was with integrating Defender for Endpoint with MCAS to then have the ability for Cloud App Discovery to sanction/un-sanction apps, then there was the integration of Defender for Identity with Defender for Endpoint.


I guess what I'm trying to work out is that once we start using the new 365 Defender connector to Sentinel, what do we need to change in all the integrations we have setup with all the Defender suite pointing to MCAS? (also data ingestion cost savings come into play, when alerts directed to MCAS first)

The only thing I read was that you need to be aware of the incident creation rules and the need to delete them in 365 Defender to avoid duplicates, if also using in Sentinel.


Secondly, Am I correct to assume that all the 365 Defender Suite alerts will be at no charge?


Lastly, there is a note on top of all this stating "All Microsoft Cloud App Security alert types are now being onboarded to Microsoft 365 Defender" What would be great is a Best Practice 365 Defender integration guide. As there are so many portals that can be logged into.






2 Replies

Hi @AmjadGov 


I cannot answer all of your questions, but I can answer the second one. All M365 Defender Alerts and Incidents logs are free when ingested into Sentinel. If you need a more detailed view you can find it here: 


Regards A

Hi @andersk and thank you for your reply. I was already aware of "All M365 Defender Alerts and Incidents logs are free when ingested into Sentinel", but thanks for the link you supplied, I missed that one, it answers the question on MCAS, which has now be renamed to MS Defender for Cloud Apps, although MS mention security alerts are free, the Shadow IT reporting is Paid for feature. We also get some benefits as we use E5 licensing: which should be extending further. I think as it stands, once the new connector comes out of preview for Defender for Cloud Apps, it would be better to only use the free features on alerting to utilise Sentinel, but anything paid for, to then stay in D for Cloud Apps in order to maximise benefits on costing, until MS clarify this in detail.