2.1 Configure Microsoft Defender XDR
Key Takeaways
- Microsoft Defender XDR is administered from the single unified portal at security.microsoft.com, which replaced the older standalone Defender consoles.
- Microsoft Defender XDR Unified RBAC is the recommended consolidated permission model; custom roles are scoped to per-workload data sources and must be activated per workload.
- Alert tuning (suppression) rules reduce noise without removing detections — the standard SC-200 answer for cutting benign-alert volume.
- Defender for Identity uses a sensor on domain controllers/AD FS/AD CS, while Defender for Endpoint onboards the device OS; Defender for Cloud Apps is the CASB for SaaS.
- Automatic attack disruption contains in-progress attacks using high-confidence XDR signals and supports user/device exclusions.
Why This Matters for SC-200
The "Manage a security operations environment" domain is the largest on SC-200 at 40-45% of the scored content. Almost every question in this domain assumes you already know where settings live in the unified Microsoft Defender portal and who is allowed to change them. Get the platform configuration model wrong and you lose points across detection, automation, and response questions too.
This section covers the Microsoft Defender XDR (Extended Detection and Response) control plane: the unified portal, tenant settings, role-based access control, alert and incident behavior, and how the individual Defender workloads are onboarded.
The Unified Microsoft Defender Portal
Microsoft Defender XDR is administered from one console at security.microsoft.com. This single portal replaced the older standalone consoles (Microsoft Defender Security Center, the Microsoft 365 Defender portal, and others). For SC-200 you should treat security.microsoft.com as the single source of truth for cross-workload alerts, incidents, hunting, settings, and — when onboarded — Microsoft Sentinel.
| Capability | Where in the portal |
|---|---|
| Cross-workload Incidents & alerts | Incidents & alerts |
| Advanced hunting (KQL) | Hunting |
| Threat analytics | Threat intelligence |
| Action center (remediation history) | Actions & submissions |
| Tenant configuration | Settings > Microsoft Defender XDR |
| Workload onboarding | Settings > Endpoints / Identities / Email & collaboration / Cloud apps |
Defender XDR correlates signals from multiple workloads into a single incident. An incident is a container that groups related alerts, assets, evidence, and an automated attack story across endpoints, identities, email, SaaS apps, and cloud workloads.
RBAC and Microsoft Defender XDR Unified RBAC
SC-200 expects you to distinguish three permission models that can govern Defender XDR.
1. Microsoft Entra ID directory roles
Entra ID roles such as Security Administrator, Security Operator, Security Reader, and Global Administrator grant broad, tenant-wide access to security features. They are coarse-grained — a Security Reader can read across all workloads but cannot scope access to a single device group.
2. Workload-specific RBAC (legacy)
Each workload historically had its own model — for example, Microsoft Defender for Endpoint role-based access control with device groups, or Defender for Office 365 permissions managed through the Email & collaboration roles. These still function but create permission sprawl.
3. Microsoft Defender XDR Unified role-based access control (RBAC)
Microsoft Defender XDR Unified RBAC is the consolidated, recommended model. It lets you build custom roles with granular permissions, assign them to users or groups, and scope each assignment to data sources (workloads such as Defender for Endpoint, Defender for Identity, Defender for Office 365, and Defender for Cloud Apps).
Custom role
├── Permissions (e.g., Security data > read; Response > manage)
├── Assignments (Entra users or groups)
└── Data sources / scope (per workload, optionally device groups)
To take effect, Unified RBAC must be activated per workload from Settings > Microsoft Defender XDR > Permissions & roles. Until a workload is activated, that workload keeps using its legacy permission model. This activation toggle is a common SC-200 distractor.
Alert and Incident Settings
Configuration that shapes how alerts and incidents behave is a frequent SC-200 target.
- Alert tuning (alert suppression) — Create tuning rules so a known-benign condition is automatically resolved, hidden, or downgraded instead of generating noise. Tuning is configured from Settings > Microsoft Defender XDR or directly from an alert.
- Email notifications — Settings > Microsoft Defender XDR > Email notifications lets you create rules that notify recipients on new incidents or on vulnerabilities, filtered by severity and device group/tag.
- Incident creation correlation — Defender XDR automatically merges related alerts into one incident using shared entities and the attack timeline. You generally tune the alerts, not the merge logic, so analysts see fewer, richer incidents.
- Automatic attack disruption — A built-in capability that contains in-progress attacks (for example, by disabling a compromised account or isolating a device) based on high-confidence XDR signals. You can exclude specific users or devices from disruption.
Exam tip: To reduce alert volume without losing the underlying signal, the correct answer is almost always an alert tuning rule, not deleting a detection or lowering a connector's data.
Onboarding the Defender Workloads
Defender XDR is only as strong as the workloads feeding it. Know the onboarding path for each.
| Workload | What it protects | Onboarding summary |
|---|---|---|
| Microsoft Defender for Endpoint | Devices (Windows, macOS, Linux, mobile) | Onboard endpoints via script, Intune, Group Policy, or Configuration Manager; appears under Settings > Endpoints |
| Microsoft Defender for Identity | On-premises Active Directory & Entra ID hybrid identity | Install the Defender for Identity sensor on domain controllers / AD FS / AD CS servers; configure from Settings > Identities |
| Microsoft Defender for Office 365 | Email and collaboration (Exchange Online, Teams, SharePoint, OneDrive) | Enabled by licensing the tenant; configure policies (Safe Links, Safe Attachments, anti-phishing) under Email & collaboration |
| Microsoft Defender for Cloud Apps | SaaS apps and cloud usage (CASB) | Connect apps via API connectors and app connectors; configure from Settings > Cloud apps |
A key SC-200 nuance: Defender for Identity uses a lightweight sensor on identity infrastructure (domain controllers, AD FS, AD CS), whereas Defender for Endpoint onboards the operating system itself. Defender for Cloud Apps is the Cloud Access Security Broker (CASB) and is the workload behind SaaS discovery, OAuth app governance, and session policies.
A SOC team needs analysts to investigate Defender for Endpoint and Defender for Identity data but NOT Defender for Office 365 data, using a single consolidated permission model. Which approach should you recommend?
Analysts are overwhelmed by repeated alerts from a sanctioned internal vulnerability scanner. You must reduce the noise without losing the ability to detect a real attack that uses the same technique. What should you configure?
Which statement correctly describes how Microsoft Defender for Identity is onboarded compared with Microsoft Defender for Endpoint?