L1. Defender XDR: Architecture and the Unified Portal
Video generating
Check back soon for the video lesson on Defender XDR: Architecture and the Unified Portal
Microsoft Defender XDR unifies endpoint, identity, email, and cloud app signals into a single incident queue. This lesson covers the unified portal layout, how cross-domain correlation works, and the licensing prerequisites you need to know for the SC-200 exam.
What Is Microsoft Defender XDR?
Microsoft Defender XDR (Extended Detection and Response) is the unified security operations platform that correlates alerts across Microsoft 365 workloads into consolidated incidents. It replaces what was previously called Microsoft 365 Defender.
The unified portal at security.microsoft.com brings together:
- Defender for Endpoint (devices)
- Defender for Office 365 (email and collaboration)
- Defender for Identity (on-premises Active Directory)
- Defender for Cloud Apps (SaaS applications)
- Microsoft Sentinel (SIEM, when connected)
The Unified Portal Layout
The portal organizes security operations into key areas:
| Section | Purpose |
|---|---|
| Incidents & alerts | Correlated cross-domain incidents |
| Hunting | Advanced KQL-based threat hunting |
| Actions & submissions | Pending actions and user-reported items |
| Threat intelligence | Threat analytics and IOC management |
| Secure score | Posture improvement recommendations |
| Assets | Device, identity, and mailbox inventory |
Cross-Domain Correlation
Defender XDR uses a correlation engine that groups related alerts into incidents. For example, a phishing email detected by Defender for Office 365 that leads to credential theft (Defender for Identity) and lateral movement on endpoints (Defender for Endpoint) becomes one incident with a full attack story.
The correlation engine considers:
- Shared entities (users, devices, mailboxes, IP addresses)
- Temporal proximity of alerts
- Known attack patterns mapped to MITRE ATT&CK
Licensing Requirements
Defender XDR capabilities require specific licenses:
| Product | License |
|---|---|
| Defender for Endpoint P2 | Microsoft 365 E5 or E5 Security add-on |
| Defender for Office 365 P2 | Microsoft 365 E5 or E5 Security add-on |
| Defender for Identity | Microsoft 365 E5 or E5 Security add-on |
| Defender for Cloud Apps | Microsoft 365 E5 or E5 Security add-on |
Role-Based Access Control
The unified portal uses Microsoft Entra ID roles and custom Defender XDR roles:
- Security Reader: View-only access to incidents, alerts, and reports
- Security Operator: Manage alerts, run response actions, view settings
- Security Administrator: Full configuration access plus all operator permissions
Custom roles can be scoped to specific device groups or data sources, giving SOC teams granular access control.
Key Takeaway
Defender XDR is the exam's foundation. Every other Defender product feeds into it, and the unified portal is where SOC analysts spend their time triaging and investigating incidents.
- ✓Defender XDR correlates alerts from Endpoint, Office 365, Identity, and Cloud Apps into unified incidents automatically.
- ✓The unified portal at security.microsoft.com is the single pane of glass for all Defender workloads.
- ✓Microsoft 365 E5 or the E5 Security add-on is required for full Defender XDR capabilities.
- ✓Cross-domain correlation groups alerts by shared entities, temporal proximity, and known attack patterns.
- ✓Custom RBAC roles can be scoped to specific device groups for granular SOC access control.
1. Which portal URL hosts the unified Microsoft Defender XDR experience?
2. A phishing email triggers an alert in Defender for Office 365, and the user subsequently has suspicious sign-in activity detected by Defender for Identity. How does Defender XDR handle these alerts?
3. Which license includes all four Defender workloads (Endpoint, Office 365, Identity, Cloud Apps)?