What's we can do if we cannot cover full M365 Defender platform (threat protection platform)?


Hi team,


I'm curious with M365 Defender, it's a Cybersecurity platform and fully benefits when we have all Defender components/services as below:

  1. Microsoft Defender for Endpoint
  2. Microsoft Defender for Office 365
  3. Microsoft Defender for Identity
  4. Microsoft Cloud App Security

So, what's happen if we cannot fully purchased above components. Assuming some components and not fully covered.


For example, if we only purchased Defender for identity and MCAS. What's limitation and scoping for manage in Threat protection portal ?


Highly appreciate your sharing experience/advice for this case.



2 Replies
I think the real benefit is in the integration of all products.

You can use the portal without all the products licensed. But each product has its own scope, if you do not use a product, you lose visibility.

For example, without endpoint, you don't have visibility on the endpoint

@HuyPham-VNYou don't need each platform, but the more telemetry you generate, the better detections you get. So in best case, using all portals and products of the "Microsoft 365 Defender Threat Protection Platform" will give you the coverage and drawing of a full killchain.


Let me take your producs:

- Microsoft Defender for Endpoint
Used for Clients and Servers

Used to manage devices

- Microsoft Defender for Office 365
Used for Mail, Phishing, Safe-Attachments etc.

- Microsoft Defender for Identity
Used for Domain-Controller

Used to manage identites/users/sessions

- Microsoft Cloud App Security

Used for cloud apps policies and Shadow-IT and DLP, e.g. you can define policies on session-level to "connected  apps". There are not much yet. But the most common connected Apps: Teams, Skype, Outlook, SharePoint various Apps on the phone etc. Here you can add fine-granular policies.


- Azure Security Center

You missed this. Used for Risk-Level and Compliance of Users.

Used for sign-in and audit-logs in Azure


Each of these portals can share signals, therefor the data can be combined. That will add value by improving the backend cloud-detections/ML/behaviour based detections.


For example if you use O365 ATP, with Defender for Endpoint and Defender for Identity.

You can get an "incident" which has a full killchain from:

- Initial Attack: An Email has been opened by an User, Macro, Powershell, Executed (

- Attacker moves on Endpoint to Servers, fires malicious processes on endpoints etc. (Defender for Endpoint)

- Attacker moves to DCs, makes pass-the-hash, bruteforce etc. (Defender for Identity).


You can now see the whole attack from A-Z, but only if signals were shared. This is were the power comes from.


For example:

Alert Guide O365 ATP

Alert Guide Defender for Identity (DCs)

Alert Guide Defender for Endpoint

Alert Guide MCAS


Now imagine, you have all of these in one chain.