Skip to content

Microsoft Defender Products and Licensing Demystified

“If you’re not confused, you’re not paying attention.”

Tom Peters, Thriving on Chaos: Handbook for a Management Revolution

Over the last couple of years there has been more than a few name changes for the Microsoft 365 and Azure security products.

In this article we will look at the name changes, give a brief overview of each product and discuss the required licencing.

As I’m sure you have noticed, Microsoft is unifying their security offerings under the Microsoft Defender brand which is delivered as two product suites:

The new Microsoft Defender is the most comprehensive XDR in the market today and prevents, detects, and responds to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms.

https://www.microsoft.com/security/blog/

In addition to the Microsoft Defender products, Microsoft Sentinel is Microsoft’s cloud-native SIEM that not only unifies the XDR data from the Microsoft Defender products, but can also consume data from other security solutions such as firewalls and other security tools, to gain visibility across the entire environment.

Microsoft 365 Defender

Old NameNew Name
Microsoft Threat ProtectionMicrosoft 365 Defender
Microsoft Defender ATPMicrosoft Defender for Endpoint Plan 1 (P1)
Microsoft Defender for Endpoint Plan 2 (P2)
Microsoft Defender for Endpoint Server
Office 365 ATPMicrosoft Defender for Office 365
Azure ATPMicrosoft Defender for Identity
Microsoft Cloud App SecurityMicrosoft Defender for Cloud Apps
N/AMicrosoft Defender for Business
ATP = Advance Threat Protection

Microsoft 365 Defender is accessed through the Microsoft 365 Defender portal that acts as a central view for all information on detections, impacted assets, automated actions taken, and related evidence.

The following licenses gives you access to Microsoft 365 Defender features via the Microsoft 365 Defender portal without additional cost:

  • Microsoft 365 E5 or A5
  • Microsoft 365 E3 with the Microsoft 365 E5 Security add-on
  • Microsoft 365 E3 with the Enterprise Mobility + Security E5 add-on
  • Microsoft 365 A3 with the Microsoft 365 A5 Security add-on
  • Enterprise Mobility + Security (EMS) E5 or A5

Microsoft Defender for Endpoint

Defender for Endpoint is a unified endpoint platform for preventative protection, post-breach detection, automated investigation, and response that includes:

  • Risk-based vulnerability management and assessment
  • Attack surface reduction capabilities
  • Behavioral based and cloud-powered next generation protection
  • Endpoint detection and response (EDR)
  • Automatic investigation and remediation
  • Managed hunting services

Microsoft Defender for Endpoint Plan 1 (P1)

Microsoft Defender for Endpoint P1 delivers core endpoint protection capabilities such as next generation anti-malware, attack surface reduction rules, device control, endpoint firewall, network protection and more.

Microsoft Defender for Endpoint P1 is available as a standalone user subscription license for commercial and education customers. It is also included as part of Microsoft 365 E3/A3.

Microsoft Defender for Endpoint Plan 2 (P2)

Microsoft Defender for Endpoint P2, which was previously called Microsoft Defender for Endpoint, includes all the capabilities of Microsoft Defender for Endpoint P1 with additional capabilities such as endpoint detection and response, automated investigation and remediation, threat and vulnerability management, threat intelligence, sandbox, and Microsoft threat experts.

Microsoft Defender for Endpoint P2 is available as a standalone license and as part of the following plans:

  • Windows 11 Enterprise E5/A5
  • Windows 10 Enterprise E5/A5
  • Microsoft 365 E5/A5/G5 (which includes Windows 10 or Windows 11 Enterprise E5)
  • Microsoft 365 E5/A5/G5/F5 Security
  • Microsoft 365 F5 Security & Compliance

Microsoft Defender for Endpoint Server

Microsoft Defender for Endpoint Server is an add-on for customers with a combined minimum of 50 licenses of Microsoft Defender for Endpoint and has capabilities that are similar to Microsoft Defender for Endpoint P2.

It is also comes bundled with Microsoft Defender for servers.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection) helps protect organizations against sophisticated attacks such as phishing and zero-day malware. Microsoft Defender for Office 365 also provides actionable insights by correlating signals from a broad range of data to help identify, prioritize, and provide recommendations on how to address potential threats.

Microsoft Defender for Office 365 Plans 1 and 2 are available with

  • Office 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Security
  • Microsoft 365 F5 Security & Compliance,

Microsoft 365 Business Premium provides access to Microsoft Defender for Office 365 Plan 1 only.

Defender for Office 365 Plan 1

Configuration, protection, and detection capabilities:

  • Safe Attachments
  • Safe Links
  • Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
  • Anti-phishing protection in Defender for Office 365
  • Real-time detection

Defender for Office 365 Plan 2

Defender for Office 365 Plan 1 capabilities, plus automation, investigation, remediation, and education capabilities:

  • Threat Trackers
  • Threat Explorer
  • Automated investigation and response
  • Attack simulation training

Microsoft Defender for Identity

Defender for Identity uses your on-premises Active Directory Domain Services (AD DS) signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

The following licences provide the rights to benefit from Microsoft Defender for Identity.

  • Enterprise Mobility + Security E5/A5
  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Security
  • Microsoft F5 Security & Compliance
  • Microsoft Defender for Identity for Users

Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) solution that gives customers flexibility in how to implement core capabilities and supporting multiple types of deployment. Microsoft Defender for Cloud Apps is a user-based subscription service. Each license is a per user, per month license and can be licensed as a standalone product or as part of multiple licensing plans, as listed below.

Microsoft Defender for Cloud Apps is available as a standalone license and is also available as part of the following plans:

  • Enterprise Mobility + Security E5
  • Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Security
  • Microsoft 365 E5/A5/G5/F5 Compliance
  • Microsoft 365 F5 Security & Compliance
  • Microsoft 365 Information Protection and Governance
  • Aditional

Azure AD P1/P2 provides the rights for a user to benefit from the Discovery capabilities that are included as part of Defender for Cloud Apps.

To benefit from the Conditional Access App Control capabilities in Defender for Cloud Apps, users must also be licensed for Azure Active Directory P1, which is included in:

  • Enterprise Mobility + Security F1/F3/E3/A3/G3
  • Enterprise Mobility + Security E5
  • Microsoft 365 E3/A3/G3
  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Security
  • Microsoft 365 F5 Security & Compliance.

To benefit from automatic client-side labeling, users must be licensed for Azure Information Protection P2, which is included in:

  • Enterprise Mobility + Security E5/A5/G5
  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance
  • Microsoft 365 F5 Security & Compliance
  • Microsoft 365 Information Protection and Governance.

Microsoft Defender for Business

Microsoft Defender for Business is a new endpoint security solution designed for small and medium-sized businesses (up to 300 employees) and is part of Microsoft 365 Business Premium licenses.

By default, Microsoft Defender for Business features are enabled at the tenant level for all users within the tenant.

A standalone version of Defender for Business is in preview and will be available later this year.

Microsoft Defender for Cloud

Old NamesNew Name
Azure Security Centre
Azure Defender
Microsoft Defender for Cloud
Azure Defender for…Microsoft Defender for Servers
Microsoft Defender for Storage
Microsoft Defender for App Service
Microsoft Defender for Key Vault
Microsoft Defender for Resource Manager
Microsoft Defender for DNS
Microsoft Defender for open-source relational databases
Microsoft Defender for Azure Cosmos DB (Preview)
Azure Defender for Kubernetes
Azure Defender for container registries
Microsoft Defender for Containers
Advanced Threat Protection for SQLAzure Defender for SQL
N/AMicrosoft Defender for Cloud database
Azure Defender for IoT
Azure Security Centre for IoT
Microsoft Defender for IoT

Microsoft Defender for Cloud is a solution for cloud security posture management (CSPM) and cloud workload protection (CWP) that finds weak spots across your cloud configuration, helps strengthen the overall security posture of your environment, and can protect workloads across multicloud and hybrid environments from evolving threats.

Defender for Cloud provides the tools needed to harden your resources, track your security posture, protect against cyber attacks, and streamline security management. Because it’s natively integrated, deployment of Defender for Cloud is easy, providing you with simple auto provisioning to secure your resources by default

The Microsoft Defender for Cloud Free Tier includes continuous assessment and security recommendations, as well as Secure Score for Azure and AWS environments.

The CSPM capabilities in Microsoft Defender for Cloud are free. Workload protection capabilities are charged on a per resource basis. Read complete pricing details for enhanced security capabilities to help protect your workloads.

When you enable Microsoft Defender for Cloud, you resources will be automatically enrolled and protected unless you explicitly decide to opt-out.

Microsoft Defender for servers

Microsoft Defender for servers is one of the enhanced security features of Microsoft Defender for Cloud. Use it to add threat detection and advanced defenses to your Windows and Linux machines whether they’re running in Azure, on-premises, or in a multi-cloud environment.

Microsoft Defender for servers includes Microsoft Defender for Endpoint.

Reference
Microsoft Defender for servers – the benefits and features | Microsoft Docs

Microsoft Defender for Storage

Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your storage accounts. It uses advanced threat detection capabilities and Microsoft Threat Intelligence data to provide contextual security alerts. Those alerts also include steps to mitigate the detected threats and prevent future attacks.

Reference
Microsoft Defender for Storage – the benefits and features | Microsoft Docs

Microsoft Defender for SQL

Microsoft Defender for SQL includes two Microsoft Defender plans that extend Microsoft Defender for Cloud’s data security package to secure your databases and their data wherever they’re located. Microsoft Defender for SQL includes functionalities for discovering and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your databases.

References
Microsoft Defender for SQL – the benefits and features | Microsoft Docs
Microsoft Defender for SQL – Azure SQL Database | Microsoft Docs

Microsoft Defender for Containers

Microsoft Defender for Containers is the cloud-native solution for securing your containers.

Reference
Container security with Microsoft Defender for Cloud | Microsoft Docs

Microsoft Defender for App Service

Defender for Cloud is natively integrated with App Service, eliminating the need for deployment and onboarding – the integration is transparent.

To protect your Azure App Service plan with Microsoft Defender for App Service, you’ll need:

  • A supported App Service plan associated with dedicated machines.
  • Defender for Cloud’s enhanced protections enabled on your subscription.

Reference
Microsoft Defender for App Service – the benefits and features | Microsoft Docs

Microsoft Defender for Key Vault

Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Enable Microsoft Defender for Key Vault for Azure-native, advanced threat protection for Azure Key Vault, providing an additional layer of security intelligence.

Reference
Microsoft Defender for Key Vault – the benefits and features | Microsoft Docs

Microsoft Defender for Resource Manager

Microsoft Defender for Resource Manager automatically monitors the resource management operations in your organization, whether they’re performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. Defender for Cloud runs advanced security analytics to detect threats and alerts you about suspicious activity.

Reference
Microsoft Defender for Resource Manager – the benefits and features | Microsoft Docs


Microsoft Defender for DNS

Microsoft Defender for DNS provides an additional layer of protection for resources that use Azure DNS’s Azure-provided name resolution capability.

From within Azure DNS, Defender for DNS monitors the queries from these resources and detects suspicious activities without the need for any additional agents on your resources.

Reference
Microsoft Defender for DNS – the benefits and features | Microsoft Docs

Microsoft Defender for open-source relational databases

This plan brings threat protections for the following open-source relational databases:

  • Azure Database for PostgreSQL
  • Azure Database for MySQL
  • Azure Database for MariaDB

Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. The plan makes it simple to address potential threats to databases without the need to be a security expert or manage advanced security monitoring systems.

Reference
Microsoft Defender for open-source relational databases – the benefits and features | Microsoft Docs

Microsoft Defender for Azure Cosmos DB (Preview)

Microsoft Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitation of your database through compromised identities, or malicious insiders.

Defender for Azure Cosmos DB uses advanced threat detection capabilities, and Microsoft Threat Intelligence data to provide contextual security alerts. Those alerts also include steps to mitigate the detected threats and prevent future attacks.

You can enable protection for all your databases (recommended), or enable Microsoft Defender for Azure Cosmos DB at either the subscription level, or the resource level.

Reference
Overview of Defender for Azure Cosmos DB – Microsoft Defender for Azure Cosmos DB | Microsoft Docs

Microsoft Defender for Cloud databases (DB)

Microsoft Defender for Cloud database security, allows you to protect your entire database estate, by detecting common attacks, supporting enablement, and threat response for the most popular database types in Azure.

The types of protected databases are:

  • Azure SQL Databases
  • SQL servers on machines
  • Open-source relational databases (OSS RDB)
  • Azure Cosmos DB

Reference
Enable database protection for your subscription – Microsoft Defender for Azure Cosmos DB | Microsoft Docs

Microsoft Defender for IoT

Microsoft Defender for IoT is a unified security solution for identifying IoT/OT devices, vulnerabilities, and threats. It enables you to secure your entire IoT/OT environment, whether you need to protect existing IoT/OT devices or build security into new IoT innovations.

Reference
Overview for OT networks – Microsoft Defender for IoT | Microsoft Docs

Other References

Conclusion

I hope this is useful and helps you ‘Demystify’ things. Please let me know below if it did or if you have anything to add.

Published inTechnology

Be First to Comment

Leave a Reply

Your email address will not be published.