Defender for Endpoint | Deception
Hi Everyone, I hope this topic is going to help someone. I want to know after 31 of October 2025 Does that mean that no one can run Deceptions and policy rules, etc? As at the moment I'm experiencing this: It would be good to know if I have to deal with it and look into what the issue is, as I'm using Zscaler. The issue is definitely there after running a number of commands to check the reg key, etc. Can someone provide me with any documentation if this will be fully retired or will still be functioning to some point?
SecureScore bugs
There needs to be a way to submit feedback for SecureScore. There's so many outdated links within the 'implementation' tab, and so many quirks. For example, the 'enable safe attachments' policy will fail if you use a custom Quarantine policy, even if it IS admin-only. Feels kinda sketchy to be setting these to 'Resolved through Alternate Mitigation' when you actually haven't. Another example - the Outbound Spam filter specifies no limits for emails. However the documentation DOES. This should be part of the SecureScore recommendation, no? Not sure if this is the right hub - but this is where the doc links for feedback.
Deep Dive into Preview Features in Microsoft Defender Console
Background for Discussion Microsoft Defender XDR (Extended Detection and Response) is evolving rapidly, offering enhanced security capabilities through preview features that can be enabled in the MDE console. These preview features are accessible via: Path: Settings > Microsoft Defender XDR > General > Preview features Under this section, users can opt into three distinct integrations: Microsoft Defender XDR + Microsoft Defender for Identity Microsoft Defender for Endpoint Microsoft Defender for Cloud Apps Each of these options unlocks advanced functionalities that improve threat detection, incident correlation, and response automation across identity, endpoint, and cloud environments. However, enabling these features is optional and may depend on organizational readiness or policy. This raises important questions about: What specific technical capabilities are introduced by each preview feature? Where exactly are these feature parameters are reflected in the MDE console? What happens if an organization chooses not to enable these preview features? Are there alternative ways to access similar functionalities through public preview or general availability?
Tenant Allow/Block Lists Versus Anti-spam List
Hello, I am an unsophisticated administrator for my account. So if I am posting this information in the wrong location, please forgive me and let me know where it should be posted. I have been getting inundated with financial spam or phishing emails. This spammer creates new domain names on a daily or weekly basis, and then sends new spam from these new domains. I typically get about thirty spam emails a day. And my guess is that, although they come from different domains, there is one organization behind all of them. Often, I get more than one email per domain per day. Fortunately, most of these emails end up in my junk folder. I want to stop these spammers from even reaching my Junk folder in Outlook. I want to keep them completely out of my email system. At first, I went to Microsoft 365 Defender > Email & collaboration > Policies & Rules > Threat policies and added their emails and domains to “Tenant Allow/Block Lists.” While that captured most of the known spam emails, one got through to my Junk folder. Being curious, I contacted Microsoft. I was told to add the spammers’ email addresses and domains to the “Anti-spam” list. I am not sure if this change will solve my concern. My question is as follows: What is the difference between these two lists? And why should I choose one over the other? My recommendations are as follows: For the Anti-spam list, it would be helpful to allow users to add more than one email address or domain name at a time. At present, it is painful manually adding many entries. For the Anti-spam list, it would be helpful to add the date each entry was added and allow for a comment section, similar to the Tenant Allow/Block list. It would be great if users or admins could right mouse click on a spam or phishing email in their Outlook programs and then have that email address or domain name blocked from reaching Outlook in the future. Because this affects the organization, perhaps it is best if this ability is restricted to administrators.
How to Connect MS Secure Scores to Power Query?
The Microsoft 365 Defender Portal (https://security.microsoft.com/) has a 'Secure Score' page, which contains the following: An overall secure score which is then broken down by Identity, Data, Device, and Application secure scores. I would like to be able to pull these four scores into a Power BI report; however, I have had some difficulty in putting together a solution. This data seems like it could be found in the Microsoft Graph API, but https://learn.microsoft.com/en-us/power-query/connecting-to-graph. I've tried other Defender APIs, but they all seem either outdated or out of scope for what I'm trying to pull. Can anyone advise? Thanks for reading.Secure Score isn't loading
Hi! For more than a week, the Microsoft Secure Score isn't displaying my organisation's score or any actions to review or recommended ones. I'm having problems with Teams' access lately and I need to check the security configurations as soon as possible. Does anyone have the same issue?How to get access to Move or Delete e-mail?
So this week I had some phishing e-mails that made it past Defender's filtering and were delivered to user mailboxes. I wanted to pull them back, so I found the relevant message the Defender XDR portal, and clicked on Take Action, but the only option available to me there was Submit to Microsoft for review. All the others, including Move or Delete, which is what I wanted, were grayed out. I'll add that was doing this using my Global Admin account. Did some research and supposedly assigning my account the Data Investigator role or creating a custom role with Search and Purge capability would provide the desired access So I put my account into both of those groups, and I still can't access Move or Delete. Anybody know what I am missing here? I’d be grateful for any information.Suggestion: Centralize Microsoft Defender XDR Role Management into Microsoft Entra ID
Microsoft Entra ID has evolved into a strong, centralized identity and access management solution. Likewise, the Defender XDR portal (formerly Microsoft 365 Defender) provides a unified experience for security monitoring, investigation, and response across endpoints, email, identities, and more. These tools are critical to modern SecOps. However, managing access across them is still more complex than it needs to be. Key challenges: Dual RBAC confusion: Defender for Endpoint uses its own RBAC system, separate from Entra ID. This leads to misunderstandings — for example, assigning a user the Security Reader role in Entra ID might not grant expected access in Defender once Defender RBAC is enabled. Hidden roles: Roles like Defender for Endpoint Administrator aren’t visible in the Entra portal, making centralized management harder. Access risks: Enabling Defender RBAC can revoke access for some users unless they’re added manually to MDE role groups — often without clear warning. Admin overhead: Managing permissions separately in Entra and Defender adds duplication, friction, and potential for misconfiguration. Suggestions Let’s build on the strength of Microsoft Entra ID by moving all Defender role assignments into Entra, where identity and access is already managed securely and consistently. Goal: Use only Entra ID roles to manage access to the Defender XDR portal — eliminating the need for custom RBAC roles or portal-based configurations in MDE, MDO, or MDI. Benefits of this change: Centralized, consistent access management across Microsoft security solutions Simplified admin experience with reduced configuration errors Better alignment with Zero Trust and least-privilege principles Clear, discoverable roles for Security and SOC teams Seamless experience during role onboarding/offboarding Suggested new Entra built-in roles for Defender XDR: Defender Endpoint Security Administrator Defender Email Security Administrator Defender Cloud Security Administrator SOC L1 Analyst (read-only) SOC L2 Analyst (response) SOC L3 Analyst (hunting) Defender XDR Administrator / Engineer Vulnerability Analyst Microsoft has done a fantastic job modernizing Entra and unifying security visibility in Defender XDR — and this would be a great next step forward. #MicrosoftEntraID #MicrosoftDefenderXDR #SecurityOperations #IAM #RBAC #CloudSecurity #ZeroTrust #MicrosoftSecurity #SecOps #SOC
