Multi-tenant endpoint security policies distribution is now in Public Preview
We’re excited to announce a key milestone in Defender’s multi-tenant management journey—Microsoft Defender for Endpoint security policies can now be distributed across multiple tenants from the Defender multi-tenant portal. This capability empowers security teams to manage policies at scale, ensuring consistency and saving valuable time. What is content distribution? Content distribution is a powerful Defender feature that enables scalable management of content across tenants. With this capability, you can create content distribution profiles in the multi-tenant portal that allow you to seamlessly replicate existing content—such as custom detection rules and now, endpoint security policies—from a source tenant to designated target tenants. Once distributed, the content runs on the target tenant, enabling centralized control with localized execution. How it works Security policies are now a selectable content type when creating a distribution profile. Simply choose existing policies from your home tenant and add them to the distribution profile. You can also decide which Microsoft Entra group(s) will be applied as scope. Policy targeting will be based on the Entra device groups that exist in every tenant, and you select the relevant groups for each tenant. Upon completion, policies are automatically distributed to the selected tenants and are applied on the targeted machines. Distributed policies also appear in a hierarchical view, with the original policy serving as the parent. You can find the policies that were distributed from the tenant under the original policy. This appears on the endpoint security policies page within multi-tenant management. The last distribution status for the original policy reflects the overall status of its distributed copies, and the tenants and tenant groups sections indicate the recipients of the policy. At any time, you can update the policies, tenants, scope or any other settings, and sync to apply these changes. This new capability enables consistency (maintaining uniform security posture across tenants), efficiency (eliminating manual duplication and reducing operational overhead), and scalability (easily expanding coverage as the tenant landscape grows). FAQ What pre-requisites are required? Access to more than one tenant with Microsoft Defender for Endpoint, with delegated access via Azure B2B or GDAP (CSP Partners only), using the multi-tenant management capability. A subscription to Microsoft 365 E5 or Office E5. What permissions are needed to distribute MDE security policies? To access endpoint security policies, users require the security administrator role in each relevant tenant. To distribute content using multi-tenant management content distribution, the Security settings (manage) or Security Data Basic (read) permission is required. Both roles are assigned to the Security Administrator and Security Reader Microsoft Entra built-in roles by default. Can I update or expand distribution profiles later? Yes. You can add more content, include additional tenants, or modify scopes as needed. Learn more For more information, see Content distribution in multitenant management. To get started, navigate to the Content distribution page. To learn more about Microsoft Defender's endpoint protection, check out our website and video. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
New blog post | One click to cover containers & Kubernetes in Defender CSPM (agentless)
Defender CSPM contextual security capabilities assists security teams in the reduction of the risk of impactful breaches. Defender CSPM uses environment context to perform a risk assessment of your security issues. Defender CSPM identifies the biggest security risk issues, while distinguishing them from less risky issues. One click to cover containers & Kubernetes in Defender CSPM (agentless) - Microsoft Community HubNew blog post | Microsoft Defender for Cloud Monthly News - May 2023
This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month. In this edition, we are looking at all the goodness from April 2023. Monthly news - May 2023 - Microsoft Community Hub
Can the access to Purview dashboard be denied to non-admin users?
Hello, in my organization we noticed that when a user browses the security dashboard (security.microsoft.com), they can easily access critical information about compliance using the "more resources" tab, even if they have no directory role at all: For example, they can access the Purview portal and see information they're not supposed to see about organization's compliance: Can the "more resources" tab be hidden to the user? Alternatively, can the access to the Purview dashboard be denied to non-admin users? Thank you.
Inconsistent Defender Search Results When Searching by Hash
I am seeing inconsistent search results in Defender when searching for a file by hash. I saved a file to my desktop and sent it via email. I hashed the file with SHA1, SHA256, and MD5 algorithms. When I perform searches in https://securitycenter.windows.com/ for the MD5 hash the search completely fails. When I search using the SHA256 hash for the same file the search completes but finds no results. If I search for the SHA1 value for the same file, the file is found, and it lists the SHA256 and MD5 values for the file that previously yielded no results or failed. If I do the same searches in the M365 portal (https://security.microsoft.com) the MD5 search still fails. The SHA256 search finds an occurrence of the file in email but the result doesn't show any results for the file on endpoints. Searching for the SHA1 hash of the file again finds the file on the endpoint and email and also lists the corresponding SHA256 and MD5 but doesn't show any email results. Has anyone encountered the same issue? This seems to be a bug in Microsoft's platform.
