Initialize Microsoft 365 Defenders Security Products Configurations

This guide focuses on configuring Microsoft 365 defender products before onboarding any device to Microsoft Defender for Endpoint (MDE) and Microsoft Defender for Identity (MDI) or connecting Azure AD applications to Microsoft Cloud App Security (MCAS).

Pre-requirements

• Office 365 E5 subscription

• Microsoft 365 E5 subscription

• Office 365 Audit Log Search enabled

Configure Microsoft Cloud App Security

1. Navigate to Microsoft 365 Security Center

2. Go to More Resources > Microsoft Cloud App Security > open.

1. You will be taken to the MCAS portal: https://portal.cloudappsecurity.com/

1. Click on Investigate > Connected Apps.

1. Click on the three dots to the right of the Office 365 application > Edit settings.... Make sure your settings look like the image below. They should be set by default.

1. Finally, click on Connect to connect the Office 365 app to MCAS.

You can click on the Office 365 application again and run a quick test:

If office 365 auditing is propagated properly, you should see office 365 app connected.

This is important to do before connecting solutions such as Azure Sentinel to collect data from MCAS.

Configure Microsoft Defender for Identity

1. Navigate to Microsoft 365 Security Center

2. Go to More Resources > Azure Advanced Threat Protection > open.

1. Create a new MDI instance

1. You should be able to add a username and password to connect to your Active Directory Forest. These credentials are used by the MDI sensor when it is installed on an endpoint. If you have not deployed your Active Directory yet, you can still set this up. SimuLand creates a few users while deploying the lab environment. If you are using the default users, here is the information for every user:

1. Finally, you can download the MDI sensor onboarding package. Make sure you save the Access Key value. It will be used while installing the MDI sensor on an endpoint. Use the compressed file while deploying a lab environment.

Configure Microsoft Defender for Endpoint

1. Navigate to Microsoft 365 Security Center

2. Go to More Resources > Microsoft Defender Security Center > open

1. You will be redirected to https://securitycenter.windows.com/ to start the onboarding process. If not, browse to https://securitycenter.windows.com/onboarding2/start to force it. Then, set your storage location, retention policy and organization size.

1. Next, click on Start using Microsoft Defender for Endpoint to continue.

• You might get a message that says To experience Microsoft Defender for Endpoint, you need to onboard and test at least one device. You can also onboard devices later..

• Click Proceed anyway.

Beginning July 6th, 2021, we’ll gradually start routing users accessing securitycenter.windows.com to the newly unified Microsoft 365 Defender portal — the new home of Microsoft Defender for Endpoint.

1. Finally, download an MDE onboarding package to use it during deployment.

• Go to Settings > Onboarding.

• Select deployment method Local Script and click on Download onboarding package.

• Use the compressed file while deploying a lab environment.