Microsoft Defender for Office 365 & Microsoft Purview

Comprehensive Enterprise Security Suite for Threat Protection, Data Governance, and Compliance

Threat Protection Data Governance Compliance Incident Response Information Protection

Modern Security Integration

Defender for Office 365 and Microsoft Purview form a comprehensive security framework that protects against email and collaboration threats while enabling data governance, compliance, and risk management across hybrid environments. Together, they provide unified protection for Microsoft 365 environments including Exchange Online, SharePoint, OneDrive, and Teams.

Defender for Office 365

Cloud-based email filtering service that protects against advanced threats to email and collaboration tools, including phishing, business email compromise, and malware attacks. Provides investigation, hunting, and remediation capabilities to identify, prioritize, and respond to threats.

  • Plan 1: Core protection features (Safe Attachments, Safe Links)
  • Plan 2: Advanced threat hunting, automated investigation, attack simulation
  • Integrates with Microsoft Defender XDR for cross-domain security
Implementation Guide Training

Microsoft Purview

Comprehensive set of solutions that help organizations govern, protect, and manage data across the entire data estate. Provides visibility, safeguards sensitive data, and manages critical data risks and regulatory requirements through unified data governance and compliance solutions.

  • Unified data governance across on-premises, multicloud, and SaaS
  • Automated data classification and sensitivity labeling
  • Data Loss Prevention (DLP), eDiscovery, and Insider Risk Management
Documentation Overview

Integrated Protection Workflow

Defender identifies and blocks threats → Purview classifies and protects data → Both provide investigation and remediation capabilities → Security posture continuously improves through automation and AI

Core Capabilities & Daily Operations

Click on each section to expand configuration and operational guidance

Protects against unknown malware and viruses by analyzing attachments in a secure sandbox environment before delivery to users.

Daily Use: Monitor blocked attachments in Threat Explorer; Adjust policies for high-risk departments
  • Zero-day protection through dynamic detonation
  • Scanning occurs in same region as your Office 365 data
  • Supports email attachments and cloud files (SharePoint, OneDrive, Teams)

Implementation:

  1. Enable in Defender portal → Policies & rules → Threat policies
  2. Create Safe Attachments policies with appropriate action (Block, Monitor, Replace)
  3. Set up custom notifications for blocked attachments
Documentation

Advanced protection against phishing attempts and spam messages using machine learning models to analyze message content and sender behavior.

Daily Use: Analyze phishing reports; Tune policies based on false positives/negatives; Monitor impersonation attempts
  • Multi-layered filtering with spoof intelligence
  • Impersonation protection for specific users and domains
  • Mailbox intelligence detects anomalies in sender behavior
  • Preset security policies (Standard/Strict) provide recommended configurations

Implementation:

  1. Configure anti-phishing policies with impersonation settings
  2. Enable mailbox intelligence to detect anomalous sending patterns
  3. Set up quarantine policies and notifications
  4. Use preset security policies for quick deployment
Documentation

Prevents accidental or intentional sharing of sensitive information across email, documents, and cloud services.

Daily Use: Review DLP alerts; Investigate policy matches; Adjust sensitive information types as needed
  • 300+ built-in sensitive information types (credit cards, SSNs, etc.)
  • Custom sensitive types and exact data matching
  • Policy tips educate users during policy violations
  • Cross-platform coverage (Email, Teams, SharePoint, OneDrive, endpoints)

Implementation:

  1. Define sensitive information types in Microsoft Purview compliance portal
  2. Create DLP policies with conditions and actions
  3. Configure user notifications and policy tips
  4. Test in audit mode before enforcement
Documentation

Identifies, preserves, and collects electronically stored information for legal cases and investigations.

Daily Use: Create content searches for investigations; Place legal holds; Export data for analysis
  • Search across Exchange, SharePoint, OneDrive, Teams, and more
  • Preserve content with legal holds
  • Advanced indexing and search capabilities
  • Case management for organizing investigations

Workflow:

  1. Create eDiscovery case in Purview compliance portal
  2. Add custodians and place legal holds
  3. Create content searches with keyword queries
  4. Review results and export data
Documentation

Classifies and protects sensitive data through labeling and encryption applied automatically or by users.

Daily Use: Monitor label usage; Adjust auto-labeling policies; Investigate unprotected sensitive data
  • Automatic classification based on content and context
  • Visual markings (headers/footers/watermarks)
  • Encryption and access restrictions
  • Integration with Defender for Cloud Apps

Implementation:

  1. Create sensitivity labels in Microsoft Purview compliance portal
  2. Configure auto-labeling policies for specific conditions
  3. Publish labels through label policies
  4. Enable in apps (Office, Adobe PDF)
Integration Guide

Automates creation and management of phishing simulations to train users and reduce susceptibility to attacks.

Daily Use: Run targeted simulations; Assign training; Analyze results to identify vulnerable users
  • Real-world attack templates (credential phishing, malware, etc.)
  • Hyper-targeted training based on user behavior
  • Requires Defender for Office 365 Plan 2 license
  • Available in Worldwide, GCC, GCC High, and DoD environments

Workflow:

  1. Create simulation campaign in Defender portal
  2. Select payload and target user groups
  3. Configure landing page and training assignments
  4. Launch simulation and monitor results
Documentation

Advanced tools for identifying and analyzing threats across email and collaboration environments.

Daily Use: Investigate email campaigns; Analyze message traces; Remediate threats
  • Threat Explorer: Real-time report for analyzing threats (Plan 2)
  • Automated Investigation & Response (AIR): Automates threat remediation
  • Threat Trackers: Monitors emerging threats
  • Campaign Views: Identifies coordinated attacks

Workflow:

  1. Use Threat Explorer to investigate recent threats
  2. Initiate automated investigations from alerts or manually
  3. Review investigation results and approve actions
  4. Track threat campaigns over time
Step-by-Step Guide

Manages content throughout its lifecycle with retention and deletion policies to meet compliance requirements.

Daily Use: Apply retention labels; Review policy matches; Manage records
  • Retention policies preserve or delete content based on rules
  • Records management for regulatory compliance
  • Automated disposition review
  • File plan manager for organizing retention rules

Implementation:

  1. Define retention labels for different content types
  2. Create retention policies for locations (Exchange, SharePoint, etc.)
  3. Configure auto-apply rules for specific content
  4. Set up disposition review for content nearing deletion
Documentation

Granular control over senders, domains, URLs, and file types to customize filtering behavior.

Daily Use: Manage false positives/negatives; Block emerging threats; Create transport rules for special scenarios
  • Tenant Allow/Block Lists for URLs and files
  • Sender and domain allow/block lists
  • Outbound spam filters to control external communications
  • Mail flow rules (transport rules) for advanced scenarios

Implementation:

  1. Access Allow/Block Lists in Defender portal → Policies & rules
  2. Add senders/domains to allow or block lists
  3. Submit false positives/negatives for analysis
  4. Create mail flow rules in Exchange admin center
Configuration Guide

Tools and techniques for investigating email delivery issues and security incidents.

Daily Use: Trace message delivery; Analyze filtering decisions; Investigate security alerts
  • Message trace for end-to-end email tracking
  • Enhanced filtering for connectors
  • Alert policies for security events
  • Submission portal for analyst review

Workflow:

  1. Use message trace to track email journey
  2. Check Enhanced Filtering for connector issues
  3. Review security alerts in Microsoft 365 Defender portal
  4. Submit questionable emails via Submissions portal
Troubleshooting Guide

Best Practices for Enterprise Deployment

Defender for Office 365

  • Enable preset security policies (Standard/Strict) for baseline protection
  • Configure Safe Links and Safe Attachments for all users
  • Implement impersonation protection for executives and finance teams
  • Run quarterly attack simulation training campaigns
  • Enable mailbox auditing for security investigations

Microsoft Purview

  • Classify sensitive data with sensitivity labels
  • Implement DLP policies for regulated data (PII, PCI, PHI)
  • Configure retention policies based on compliance requirements
  • Enable audit logging for critical activities
  • Establish eDiscovery workflows for legal requests

Integration Strategy

  1. Apply Purview sensitivity labels as governance actions in Defender for Cloud Apps
  2. Use Defender threat signals to trigger Purview data protection actions
  3. Correlate threat incidents with data governance events in Microsoft Defender XDR
  4. Enable automatic scanning for sensitivity labels in connected cloud apps

Implementation Roadmap

Phase Defender for Office 365 Microsoft Purview Timeline
Foundation Configure email authentication (SPF, DKIM, DMARC) Enable audit logging; Configure basic retention Week 1
Protection Enable Safe Attachments/Safe Links; Apply preset policies Create sensitivity labels; Basic DLP policies Week 2-3
Prevention Configure anti-phishing; Attack simulation training Implement auto-labeling; Retention policies Month 2
Detection Enable automated investigations; Configure alerts Advanced DLP; Insider risk management Month 3
Governance Threat hunting; Campaign analysis Records management; eDiscovery workflows Ongoing

Additional Resources

Defender Step-by-Step Guides Purview Documentation Defender Training Purview Overview