Frequently asked questions when turning on Microsoft Defender XDR
Applies to:
- Microsoft Defender XDR
Read responses to the most commonly asked questions about turning on Microsoft Defender XDR, including required licenses and permissions, deploying support services, and initial settings.
For instructions on how to turn on the service, read Turn on Microsoft Defender XDR.
Customers with the following non-E5 licenses can use Microsoft Defender XDR:
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Microsoft Defender for Cloud Apps
- Defender for Office 365 (Plan 2)
For a full list of supported licenses, read the licensing requirements.
No, Microsoft Defender XDR consolidates data from Microsoft 365 security services that you have already deployed. Once you turn it on, incident, automation, and hunting experiences will start working within the scope of the deployed products. If none of these products are properly deployed, Microsoft Defender XDR will not display any data and is unable to take any action.
To optimize your Microsoft Defender XDR experiences, we recommend deploying all supported Microsoft 365 security products and services.
Microsoft Defender XDR automatically selects an optimal location for the data center where consolidated data is processed and stored. If you have Microsoft Defender for Endpoint, it selects the same location used by Defender for Endpoint.
Note
Microsoft Defender for Endpoint automatically provisions in European Union (EU) data centers when turned on through Microsoft Defender for Cloud. Microsoft Defender XDR will automatically provision in the same EU data center for customers who have provisioned Microsoft Defender for Endpoint in this manner.
The data center location is shown before and after the service is provisioned in the settings page for Microsoft Defender XDR (Settings > Microsoft Defender XDR). If you prefer to use another data center location, select Need help? in the Microsoft Defender portal to contact Microsoft support.
Microsoft Defender XDR is available at: https://security.microsoft.com.
Accounts assigned the following Microsoft Entra roles can access Microsoft Defender XDR functionality and data:
- Global administrator
- Security administrator
- Security Operator
- Global Reader
- Security Reader
- Compliance Administrator
- Compliance Data Administrator
- Application Administrator
- Cloud Application Administrator
Note
Role-based access control settings in Microsoft Defender for Endpoint influence access to data. For more information, read about managing access to Microsoft Defender XDR.
If you are running the Microsoft Defender XDR preview program you can now also experience the new Microsoft Defender 365 role-based access control (RBAC) model. For more information, see Microsoft Defender XDR role-based access control (RBAC) model.
By default, Microsoft Defender XDR displays time information in the UTC time zone. You can change this setting to use your local time zone. Learn about setting the time zone
Microsoft regularly provides information through the various channels, including:
- Blogposts in the Microsoft 365 security & compliance tech community
- Go to Defender monthly news
- The message center in Microsoft 365 admin center
Get the latest publicly available experiences by turning on preview features.
- Microsoft Defender XDR overview
- Turn on Microsoft Defender XDR.
- Licensing requirements and other prerequisites
- Deploy supported services
- Setup guides for Microsoft Defender XDR
- Turn on preview features
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.