Domain 2 of 4 · Chapter 1 of 3

Configure Protections in Microsoft Defender

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Security Operations Analyst Associate premium course — no separate purchase.

Included in this chapter:

  • Pick the workload that owns the asset
  • Defender for Office 365: Safe Attachments, Safe Links, presets
  • Defender for Endpoint: ASR rules and modes
  • Defender for Cloud: CSPM baseline vs paid plans
  • Defender for Cloud Apps: access, session, OAuth
  • Exam pattern recognition

Which Defender protection for which asset

Defender workloadAsset it protectsPrimary protection controlsFree baseline vs paid
Defender for Office 365Email and collaboration (Exchange, Teams, SharePoint, OneDrive)Safe Attachments, Safe Links, anti-phishing, preset security policiesAdds to free EOP baseline; Plan 1/Plan 2 are paid
Defender for Cloud AppsSaaS apps and OAuth app consentAccess policies, session policies (Conditional Access App Control), file/activity policies, App GovernanceLicensed add-on; no free protection tier
Defender for EndpointDevices (Windows, macOS, Linux, mobile)Next-gen antivirus, ASR rules, controlled folder access, network protectionPlan 1/Plan 2 paid; ASR rules need Defender AV active
Defender for CloudCloud workloads (VMs, storage, SQL, containers) across Azure, AWS, GCPPer-resource Defender plans for runtime threat protectionFree CSPM (recommendations) baseline; Defender plans are paid (alerts)

Decision tree

Email or Teams message?phishing, malware attachmentDefender for Office 365Safe Links, Safe AttachmentsYesSaaS app or OAuth app?in-session control, consentNoDefender for Cloud Appssession / access policy, App GovernanceYesEndpoint device?laptop, server, phoneNoDefender for EndpointASR rules (Audit then Block)YesDefender for Cloudenable per-resource planNo (cloud workload)Always: free CSPM gives recommendations; a paid Defender plan gives alerts

Cheat sheet

  • Pick the Defender workload that owns the attacked asset
  • Defender for Office 365 adds detonation and time-of-click on top of free EOP
  • Safe Links rechecks URLs at click time, not just at delivery
  • Use Safe Attachments Block to stop files; Dynamic Delivery to avoid delay
  • Apply the Standard or Strict preset for Microsoft's recommended baseline
  • Office 365 policy precedence: Strict beats Standard beats custom beats Built-in
  • Deploy ASR rules in Audit first, then promote to Block
  • ASR rules run in one of four modes, including Warn for user override
  • ASR rules need Microsoft Defender Antivirus as the active AV
  • ASR is one slice of Defender for Endpoint's wider attack surface reduction set
  • ASR rule conflicts: non-conflicting settings merge, conflicting ones are dropped
  • Defender for Cloud: free CSPM gives recommendations, a paid plan gives alerts
  • Enable the matching Defender plan to protect each cloud resource type
  • Paid Defender CSPM is a separate upgrade from free foundational CSPM
  • Defender for Cloud spans Azure, AWS, and GCP via native connectors
  • Defender for Servers integrates Defender for Endpoint onto VMs automatically
  • Access policy decides the sign-in; session policy controls actions inside the app
  • Session policies use Conditional Access App Control, a reverse proxy
  • File and activity policies cover data at rest and logged behaviour in SaaS
  • Use App Governance to catch malicious or overprivileged OAuth apps
  • Match the configuration surface to the product to confirm an answer
  • Just-in-time VM access needs Defender for Servers Plan 2, ARM deployment, and an NSG or Azure Firewall
  • Agentless scanning, JIT VM access, and file integrity monitoring are Defender for Servers Plan 2 only

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. https://learn.microsoft.com/en-us/defender-office-365/mdo-about
  2. https://learn.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps
  3. https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint
  4. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction
  5. https://learn.microsoft.com/en-us/defender-office-365/eop-about
  6. https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
  7. https://learn.microsoft.com/en-us/defender-office-365/safe-links-about
  8. https://learn.microsoft.com/en-us/defender-office-365/preset-security-policies
  9. https://learn.microsoft.com/en-us/defender-office-365/configuration-analyzer-for-security-policies
  10. https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction
  11. https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-deployment
  12. https://learn.microsoft.com/en-us/defender-endpoint/overview-attack-surface-reduction
  13. https://learn.microsoft.com/en-us/azure/defender-for-cloud/concept-cloud-security-posture-management
  14. https://learn.microsoft.com/en-us/azure/defender-for-cloud/secure-score-security-controls
  15. https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws
  16. https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-gcp
  17. https://learn.microsoft.com/en-us/defender-cloud-apps/access-policy-aad
  18. https://learn.microsoft.com/en-us/defender-cloud-apps/session-policy-aad
  19. https://learn.microsoft.com/en-us/defender-cloud-apps/proxy-intro-aad
  20. https://learn.microsoft.com/en-us/defender-cloud-apps/user-activity-policies
  21. https://learn.microsoft.com/en-us/defender-cloud-apps/data-protection-policies
  22. https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance