Monitor and maintain Microsoft 365 Business Premium and Defender for Business
After you have set up and configured Microsoft 365 Business Premium or the standalone version of Microsoft Defender for Business, your next step is to prepare a plan for maintenance and operations. It's important to keep your systems, devices, user accounts, and security policies up to date to help protect against cyberattacks. You can use this article as a guide to prepare your plan.
As you prepare your plan, you can organize the various tasks into two main categories, as listed in the following table:
Security tasks
Security tasks are typically performed by security administrators and security operators.
Daily security tasks
| Task | Description |
|---|---|
| Check your threat vulnerability management dashboard | Get a snapshot of threat vulnerability by looking at your vulnerability management dashboard, which reflects how vulnerable your organization is to cybersecurity threats. A high exposure score means your devices are more vulnerable to exploitation. 1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane, select Vulnerability management > Dashboard. 2. Take a look at your Organization exposure score. If it's in the acceptable or "High" range, you can move on. If it isn't, select Improve score to see more details and security recommendations to improve this score. Being aware of your exposure score helps you to: - Quickly understand and identify high-level takeaways about the state of security in your organization - Detect and respond to areas that require investigation or action to improve the current state - Communicate with peers and management about the impact of security efforts |
| Review pending actions in the Action center | As threats are detected, remediation actions come into play. Depending on the particular threat and how your security settings are configured, remediation actions might be taken automatically or only upon approval, which is why these should be monitored regularly. Remediation actions are tracked in the Action center. 1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane, choose Action center. 2. Select the Pending tab to view and approve (or reject) any pending actions. Such actions can arise from antivirus or antimalware protection, automated investigations, manual response activities, or live response sessions. 3. Select the History tab to view a list of completed actions. |
| Review devices with threat detections | When threats are detected on devices, your security team needs to know so that any needed actions, such as isolating a device, can be taken promptly. 1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane, choose Reports > General > Security report. 2. Scroll down to the Vulnerable devices row. If threats were detected on devices, you can see that information in this row. |
| Learn about new incidents or alerts | As threats are detected and alerts are triggered, incidents are created. Your company's security team can view and manage incidents in the Microsoft Defender portal. 1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation menu, select Incidents. Incidents are displayed on the page with associated alerts. 2. Select an alert to open its flyout pane, where you can learn more about the alert. 3. In the flyout, you can see the alert title, view a list of assets (such as endpoints or user accounts) that were affected, take available actions, and use links to view more information and even open the details page for the selected alert. |
| Run a scan or automated investigation | Your security team can initiate a scan or an automated investigation on a device that has a high risk level or detected threats. Depending on the results of the scan or automated investigation, remediation actions can occur automatically or upon approval. 1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane, choose Assets > Devices. 2. Select a device to open its flyout panel, and review the information that is displayed. - Select the ellipsis (...) to open the actions menu. - Select an action, such as Run antivirus scan or Initiate Automated Investigation. |
Weekly security tasks
| Task | Description |
|---|---|
| Monitor and improve your Microsoft Secure Score | Microsoft Secure Score is a measurement of your organization's security posture. Higher numbers indicate that fewer improvement actions are needed. By using Secure Score, you can: - Report on the current state of your organization's security posture. - Improve your security posture by providing discoverability, visibility, guidance, and control. - Compare with benchmarks and establish key performance indicators (KPIs). To check your score, follow these steps: 1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane choose Secure score. 2. Review and make decisions about the remediations and actions in order to improve your overall Microsoft secure score. |
| Improve your Secure Score for devices | Improve your security configuration by remediating issues using the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves and your organization becomes more resilient against cybersecurity threats and vulnerabilities going forward. It's always worth the time it takes to review and improve your score. To check your secure score, follow these steps: 1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane select Secure score. 2. From the Microsoft Secure Score for Devices card in the Defender Vulnerability Management dashboard, select one of the categories. A list of recommendations related to that category displays, along with recommendations. 3.Select an item on the list to display details related to the recommendation. 4. Select Remediation options. 5. Read the description to understand the context of the issue and what to do next. Choose a due date, add notes, and select Export all remediation activity data to CSV so you can attach it to an email for follow-up. A confirmation message tells you the remediation task has been created. 6. Send a follow-up email to your IT Administrator and allow for the time that you've allotted for the remediation to propagate in the system. 7. Return to the Microsoft Secure Score for Devices card on the dashboard. The number of security controls recommendations has decreased as a result of your actions. 8. Select Security controls to go back to the Security recommendations page. The item that you addressed isn't listed there anymore, which results in your Microsoft secure score improving. |
Monthly security tasks
| Task | Description |
|---|---|
| Run reports | Several reports are available in the Microsoft Defender portal (https://security.microsoft.com). 1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane, select Reports. 2. Choose a report to review. Each report displays many pertinent categories for that report. 3. Select View details to see deeper information for each category. 4. Select the title of a particular threat to see details specific to it. |
Security tasks to perform as needed
| Task | Description |
|---|---|
| Manage false positives/negatives | A false positive is an entity, such as a file or a process that was detected and identified as malicious even though the entity isn't actually a threat. A false negative is an entity that wasn't detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including Microsoft Defender for Office 365 and Microsoft Defender for Business, which are both included in Microsoft 365 Business Premium. Fortunately, steps can be taken to address and reduce these kinds of issues. For false positives/negatives on devices, see Address false positives/negatives in Microsoft Defender for Endpoint. For false positives/negatives in email, see the following articles: - How to handle malicious emails that are delivered to recipients (False Negatives), using Microsoft Defender for Office 365 - How to handle Legitimate emails getting blocked (False Positive), using Microsoft Defender for Office 365 |
| Strengthen your security posture | Defender for Business includes a vulnerability management dashboard that provides you with exposure score and enables you to view information about exposed devices and see relevant security recommendations. You can use your Defender Vulnerability Management dashboard to reduce exposure and improve your organization's security posture. See the following articles: - Use your vulnerability management dashboard in Microsoft Defender for Business - Dashboard insights |
| Adjust security policies | Reports are available so that you can view information about detected threats, device status, and more. Sometimes it's necessary to adjust your security policies. For example, you might apply strict protection to some user accounts or devices, and standard protection to others. See the following articles: - For device protection: View or edit policies in Microsoft Defender for Business - For email protection: Recommended settings for EOP and Microsoft Defender for Office 365 security |
| Analyze admin submissions | Sometimes it's necessary to submit entities, such as email messages, URLs, or attachments to Microsoft for further analysis. Reporting items can help reduce the occurrence of false positives/negatives and improve threat detection accuracy. See the following articles: - Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft - Admin review for user reported messages |
| Protect priority user accounts | Not all user accounts have access to the same company information. Some accounts have access to sensitive information, such as financial data, product development information, partner access to critical build systems, and more. If compromised, accounts that have access to highly confidential information pose a serious threat. We call these types of accounts priority accounts. Priority accounts include (but aren't limited to) CEOs, CISOs, CFOs, infrastructure admin accounts, build system accounts, and more. See the following articles: - Protect your administrator accounts - Security recommendations for priority accounts in Microsoft 365 |
| Protect high-risk devices | The overall risk assessment of a device is based on a combination of factors, such as the types and severity of active alerts on the device. As your security team resolves active alerts, approves remediation activities, and suppresses subsequent alerts, the risk level decreases. See Manage devices in Microsoft Defender for Business. |
| Onboard or offboard devices | As devices are replaced or retired, new devices are purchased, or your business needs change, you can onboard or offboard devices from Defender for Business. See the following articles: - Onboard devices to Microsoft Defender for Business - Offboard a device from Microsoft Defender for Business |
| Remediate an item | Microsoft 365 Business Premium includes several remediation actions. Some actions are taken automatically, and others await approval by your security team. 1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane, go to Assets > Devices. 2. Select a device, such as one with a high risk level or exposure level. A flyout pane opens and displays more information about alerts and incidents generated for that item. 3. On the flyout, view the information that is displayed. Select the ellipsis (...) to open a menu that lists available actions. 4. Select an available action. For example, you might choose Run antivirus scan, which will cause Microsoft Defender Antivirus to start a quick scan on the device. Or, you could select Initiate Automated Investigation to trigger an automated investigation on the device. |
Remediation actions for devices
The following table summarizes remediation actions that are available for devices in Microsoft 365 Business Premium and Defender for Business:
| Source | Actions |
|---|---|
| Automated investigations | Quarantine a file Remove a registry key Kill a process Stop a service Disable a driver Remove a scheduled task |
| Manual response actions | Run antivirus scan Isolate device Add an indicator to block or allow a file |
| Live response | Collect forensic data Analyze a file Run a script Send a suspicious entity to Microsoft for analysis Remediate a file Proactively hunt for threats |
General admin tasks
Maintaining your environment includes managing user accounts, managing devices, and keeping things up to date and working correctly. Admin tasks are typically performed by global administrators and tenant administrators. Learn more about admin roles.
Important
Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
If you're new to Microsoft 365, take a moment to get an Overview of the Microsoft 365 admin center.
Admin center tasks
| Task | Resources to learn more |
|---|---|
| Get started using the Microsoft 365 admin center | Overview of the Microsoft 365 admin center |
| Learn about new features in the Microsoft 365 admin center | What's new in the Microsoft 365 admin center |
| Find out about new product updates and features so you can help prepare users | Stay on top of Microsoft 365 product and feature changes |
| View usage reports to see how people are using Microsoft 365 | Microsoft 365 Reports in the admin center |
| Open a technical support ticket | Get support for Microsoft 365 for business |
Users, groups, and passwords
Email and calendars
| Task | Resources to learn more |
|---|---|
| Migrate email and contacts from Gmail or another email provider to Microsoft 365 | Migrate email and contacts to Microsoft 365 |
| Add an email signature, legal disclaimer, or disclosure statement to email messages that come in or go out | Create organization-wide signatures and disclaimers |
| Set up, edit, or delete a security group | Create, edit, or delete a security group in the Microsoft 365 admin center |
| Add users to a distribution group | Add a user or contact to a Microsoft 365 distribution group |
Set up a shared mailbox so people can monitor and send email from a common email addresses, like info@contoso.com |
Create a shared mailbox |
Devices
| Task | Resources to learn more |
|---|---|
| Use Windows Autopilot to set up and preconfigure new devices or to reset, repurpose, and recover devices (applies to Microsoft 365 Business Premium) |
Overview of Windows Autopilot |
| View current status of and manage devices | Manage devices in Microsoft Defender for Business |
| Onboard devices to Defender for Business | Onboard devices to Defender for Business |
| Offboard devices from Defender for Business | Offboard a device from Defender for Business |
| Manage devices with Intune | What does device management with Intune mean? Manage your devices and control device features in Microsoft Intune |
Domains
| Task | Resources to learn more |
|---|---|
| Add a domain (like contoso.com) to your Microsoft 365 subscription | Add a domain to Microsoft 365 |
| Buy a domain | Buy a domain name |
| Remove a domain | Remove a domain |
Subscriptions and billing
| Task | Resources to learn more |
|---|---|
| View your bill or invoice | View your Microsoft 365 for business subscription bill or invoice |
| Manage your payment methods | Manage payment methods |
| Change the frequency of your payments | Change your Microsoft 365 subscription billing frequency |
| Change your billing address | Change your Microsoft 365 for business billing addresses |