If you decide to have your networks and systems monitored around the clock for cyber threats and attacks, you benefit from the expertise and experience of our dedicated team. We rely on latest XDR technologies to enable effective and comprehensive monitoring. In this article, you'll learn which three Microsoft security products are essential and how they help strengthen your IT security.
Small and mid-sized businesses (SMBs) often subscribe to various Microsoft Business or Enterprise licenses. In many cases, we identify that critical security mechanisms are missing or only partially implemented. To deliver our Managed Detection and Response (MDR) service effectively and to ensure a high level of protection, three licenses are particularly important. They form the foundation of our service:
Why exactly are these three licenses essential? How do they add value to the protection of your IT infrastructure? We'll show you below by giving practical, real-world examples.
Microsoft Entra ID P2: Secure Access and Data Management in One Place
Microsoft Entra ID lets you centrally manage user identities in the cloud and control access to both Microsoft and third-party services. This solution protects your resources and data through secure authentication and intelligent, risk-based access policies. The following three features are key benefits:
Identity Protection: The Fundament of Digital Identity Security
This feature helps actively protect digital identities from theft and misuse. It detects suspicious activity using artificial intelligence (AI) and machine learning (ML) and automatically triggers security measures.
Examples of suspicious activity include:
- Impossible Travel: A user logs into your corporate network from two distant countries within a short time. Since this trip isn't physically possible, the system flags it as risky.
- Risky Users: A user signs in from a high-risk or unusual location they don't typically work from. Identity Protection treats this as suspicious.
- Anonymous IP Address Usage: A user signs in using an anonymizing service. Because attackers often use these services to hide their identity, Identity Protection classifies the login as risky.
These risks trigger alerts and different automated or manual responses depending on your policies: block access, require multi-factor authentication (MFA), force password reset, and more. The data can be exported to other tools for archiving, further investigation, or correlation with other incidents.
Pro tip: You can find an overview of the risks detected and evaluated by Microsoft Entra Identity Protection here.
Bottom line: Identity Protection is critical because identity theft is the most common attack vector. It identifies and blocks compromised accounts in real time.
Privileged Identity Management (PIM): Secure Admin Access
PIM helps control privileged access and protects it from misuse or unauthorized use. Since permanent admin rights pose a high risk, PIM ensures that administrative privileges are granted only when needed. Each activation is monitored, and security measures like approval workflows or MFA are triggered automatically.
PIM protects against:
- Compromised admin accounts: Even if an attacker gains access to an admin account (e.g., via phishing), they cannot immediately move laterally within your environment.
- Insider misuse: Admins or other privileged users can’t make critical changes without justification or approval. Every activation is logged.
- Human error: Since admin rights are only active when needed, PIM reduces the chance of accidental misconfigurations or deletions.
Bonus: This level of traceability and control over privileged access is required by many security and privacy standards (e.g., ISO 27001, NIS2, CIS Controls).
Bottom line: PIM reduces the risk of attacks, misuse, and errors by granting admin rights temporarily and with strict control.
Conditional Access (CA): More Control, Less Risk
This security feature allows access to applications and data only under defined conditions. Companies can set policies based on location, device, sign-in risk, or authentication method.
Examples:
- Location: Access to corporate data is only allowed from the company network or via secure remote access (VPN).
- Device: Only managed and secure company laptops can log into the network. All other devices are blocked.
- Authentication: Access to sensitive apps like finance or HR systems is only granted with MFA.
Bottom line: Conditional Access helps reduce your attack surface and keeps you in control of who, when, where, and how critical systems can be accessed.
Microsoft Defender for Office 365 P2
Protect your Outlook emails and collaboration platforms like Microsoft Teams from phishing, malware, ransomware, and targeted attacks. Plan 2 version provides proactive, high-level protection using automated threat detection and advanced AI-driven analysis.
Key Benefits of Microsoft Defender for Office 365 Plan 2:
Advanced Anti-Phishing: Smart Detection at the Highest Level
Phishing attacks are among the top threats to organizations. Sophisticated attacks often bypass traditional filters. Advanced Anti-Phishing protects your organization by analyzing sender behavior, detecting fraudulent domains, and flagging suspicious emails before any damage is done.
Typical phishing scenarios that can be recognized with Advanced Anti-Phishing:
- CEO Fraud (Business Email Compromise, BEC): Your accounting team receives an urgent payment request from what appears to be your CEO. While the sender address looks legitimate, Advanced Anti-Phishing spots the deception through behavioral analysis and alerts the recipient.
- Fake Login Pages: An employee is warned via email that their Microsoft 365 password is expiring. The embedded link leads to a convincing fake login page. The system blocks the message because the domain doesn’t match Microsoft’s legitimate servers.
- Vendor Invoice Fraud: A company receives a fake invoice with an altered bank account from a seemingly trusted vendor. Advanced Anti-Phishing notices the domain is slightly off (e.g. @sample-company.com instead of @samplecompany.com) and prevents email from being delivered.
Bottom line: Advanced Anti-Phishing uses AI and behavior-based detection to catch complex threats to keep your business safe.
Campaign-View: Understand and Stop Threat Campaigns
Campaign View lets security teams analyze and track targeted phishing and malware campaigns using telemetry from the entire Microsoft 365 security ecosystem.
Key features:
- Trace Attack Paths: See which users were affected, how many emails were delivered or blocked, and which security mechanisms were triggered.
- Campaign Indicators: View detailed attacker signals, including sender addresses, malicious links, attachments, and tactics.
- Take Action: Based on the analysis, admins can quarantine messages, notify impacted users, and take other containment steps.
Bottom line: Campaign View gives security teams clear visibility into targeted attacks so they can understand and respond quickly and effectively.
Attack Simulation Training: Turn Your Team into a Human Firewall
This feature boosts security awareness by simulating phishing and social engineering attacks to prepare your team for real-world threats.
Key aspects:
- Realistic Simulations: Admins can create or select phishing campaigns from a built-in library to test how users respond.
- Behavior-Based Training: The system tracks people who click on malicious links or opens suspicious attachments, and provides instant, targeted training for those who fall for the simulations.
- Insights & Reports: Detailed analytics reveal weak spots in user awareness and help improve your training strategy.
Bottom line: By combining realistic simulations with targeted training, you raise awareness and strengthen your company’s overall security culture.
Microsoft Defender for Endpoint P2: Protection Across All Layers
Microsoft Defender for Endpoint safeguards devices and servers from cyberattacks, detects threats in real time, and stops attacks early. It offers centralized monitoring, vulnerability management, and device control. The Plan 2 version enhances this protection with deep threat analytics, automated responses, and built-in tools for intervention and forensic investigation. Two particularly valuable features:
Defender Timeline: Track and Analyze Events
The Defender Timeline provides a detailed, chronological view of events on a specific device. It records all security-relevant activities and enables IT teams to investigate threats and trace their origin within the system.
The timeline shows:
- Process and file activity (e.g., executed programs, modified files)
- User logins (local and remote)
- Network connections (including suspicious ones)
- Registry changes and service installations
- Security alerts and detected threats
Defender recommends appropriate actions such as blocking suspicious sessions, stopping harmful connections, or removing malware. Moreover, your advanced SOC provider will leverage the information to automate remediation.
Bottom line: The Timeline is a vital tool for security teams to understand, analyze, and stop threats quickly and efficiently.
Advanced Hunting – Dig Deep into Raw Data
Advanced Hunting is a powerful, query-based threat-hunting tool. It enables proactive custom investigations across Microsoft security solutions by giving access to rich telemetry and event data..
Investigation examples include:
| Suspicious PowerShell Usage | |
| Objective/Query | Check if attackers are using PowerShell for malicious activity. Search for PowerShell commands that contain Base64-encoded code, a common obfuscation technique used by attackers. |
| Sample Result | An endpoint executed several suspicious PowerShell scripts with obfuscated code. One of the processes was started from an unknown user account. |
| Recommended Action | Isolate the device. |
Office App Launching cmd.exe or Other Script Interpreters | |
| Objective/Query | Detect suspicious behavior where Office applications (like Word, Excel, or Outlook) launch command-line tools or script interpreters. |
| Sample Result | A record shows EXCEL.EXE launched mshta.exe with a URL pointing to an unknown external server. This suggests a malicious macro in an Excel file attempted to fetch and execute remote HTML application (HTA) code from the internet. |
| Recommended Action | Block the URL in your XDR platform. Isolate the affected device. |
Bottom line: Advanced Hunting helps IT teams identify hidden threats. It complements automated detection mechanisms that only catch known threats.
Security Requires a Holistic Approach
IT security isn’t effective with a patchwork approach. Loosely tied and uncoordinated measures are not enough to protect your organization from cyberattacks.
ur MDR service delivers its full value only when the essentials are in place. That’s why we insist on the combination of Microsoft Entra ID P2, Microsoft Defender for Office 365 P2, and Microsoft Defender for Endpoint P2.
Together, they form the core to shield your assets effectively:
- Entra ID P2 protects identities and offers powerful access management.
- Defender for Office 365 P2 secures emails and collaboration tools with AI-powered threat detection and strong anti-phishing defenses.
- Defender for Endpoint P2 provides comprehensive endpoint protection through proactive threat detection, automated response, and forensic analysis to minimize damage fast.
With these tools, we can systematically monitor access to your systems and networks, detect typical security incidents early, and act quickly and decisively when it matters most.
Let’s work together to ensure your IT environment is as secure as it can be.
We are glad to provide further information: Your contact person