We use the entire 365 security package. Defender XDR is primarily used for real-time malware scanning. Our company has about 1,500 endpoints.
Cybersecurity Engineer at a computer software company with 1,001-5,000 employees
You can scan the systems remotely to get a complete inventory of assets
Pros and Cons
- "Defender XDR enables you to scan a system remotely and get a complete inventory of its assets. You can gather more information from the asset inventory and apply threat intelligence using Office 365 or something."
- "The initial time spent setting up and configuring Defender XDR is a bit longer than the other solutions. If everything were on one portal, the platforms for managing policies or alerts would be simpler. We must automate and manage policies on Intune rather than the same portal."
What is our primary use case?
How has it helped my organization?
Before Defender, we used a different tool but were unhappy with its performance and frustrated with the deployment. Defender offers real-time scanning and alert notifications.
By adopting the Microsoft stack, we have eliminated other security solutions. Defender XDR reduces manual work. Our organization manages more than 1,500 systems, and manual intervention on all these systems would be a huge workload. Cloud solutions are easier to manage and monitor.
We are a massive Microsoft shop. We see significant savings by getting all of our security from one vendor. There is a considerable drop compared to buying from other vendors.
What is most valuable?
Defender XDR enables you to scan a system remotely and get a complete inventory of its assets. You can gather more information from the asset inventory and apply threat intelligence using Office 365 or something. It's a user-friendly, cost-effective, and feature-rich solution. The XDR features offer considerable value because you get more insights from your user systems.
Microsoft Defender XDR stops the movement of advanced attacks by working with the complete 365 package. For example, you can create rules for email filtering to block phishing emails. I can create rules for email filtering. If there are any suspicious links in an email or its attachments, we can quarantine that email. It notifies the admin or the user. The user can ask the admin to remove the email from the quarantine. We can investigate the email before it reaches the endpoint. Defender also has web content filtering and all the other EDR file features.
Defender's ability to adapt to evolving threats is critical today. The number of attacks today is multiplying, and Defender's adaptability and awareness are amazing.
What needs improvement?
The initial time spent setting up and configuring Defender XDR is a bit longer than the other solutions. If everything were on one portal, the platforms for managing policies or alerts would be simpler. We must automate and manage policies on Intune rather than the same portal.
Buyer's Guide
Microsoft Defender XDR
June 2025

Learn what your peers think about Microsoft Defender XDR. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
861,390 professionals have used our research since 2012.
For how long have I used the solution?
I have used Microsoft Defender XDR for nearly 14 months.
What do I think about the stability of the solution?
I am very satisfied with Defender's stability. It's a reliable solution that improves our confidence in our security.
How are customer service and support?
I rate Microsoft support seven out of 10. I would like Microsoft's support to be a little more robust and technical.
How would you rate customer service and support?
Neutral
How was the initial setup?
Deploying Defender XDR is pretty straightforward. We deployed it in phases with deadlines. It took a couple of months. We met all our deadlines, and it wasn't a very complex solution to implement.
We prepared and configured the tenant. Next, we created XDR policies and groups and orchestrated our requirements. We tried pushing the policies to see if the endpoints received them and sent the required information back to the admin portal. There was a testing period before we went live. Deployment only required two people.
Defender doesn't require much maintenance after deployment because it's a cloud-based solution. We only need to tweak and update the policies, then push them out.
What's my experience with pricing, setup cost, and licensing?
Defender XDR is reasonably priced based on the licenses we need and the solution's capabilities. At the same time, Defender is a little pricier than some of the other solutions.
Which other solutions did I evaluate?
We also considered CrowdStrike and Trend Micro. Trend Micro came the closest to meeting our expectations. Ultimately, we decided to use Defender XDR because we already used most of the Microsoft products, so it was a little more cost-effective.
What other advice do I have?
I rate Microsoft Defender XDR nine out of 10. Before deploying Defender XDR, potential users should be informed about the pricing, support, and the labor required to manage, maintain, and deploy the solutions.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.

Helps us reduce the security solutions used, provides unified identity and access management, and saves our security team time
Pros and Cons
- "The most valuable features are spam filtering, attachment filtering, and antivirus protection."
- "Microsoft Defender XDR is not a full-fledged EDR or XDR."
What is our primary use case?
We use Microsoft Defender XDR to protect our endpoints, computers, mobile devices, and emails.
How has it helped my organization?
In part, Microsoft Defender XDR provides unified identity and access management.
Microsoft Defender XDR can protect 98 percent of devices.
With Microsoft Defender XDR we can now manage all of our non-critical computers from one console. The management level and implementation level are easy. Microsoft Defender XDR is also cost-effective.
We have been using Microsoft solutions for over 25 years so it didn't take much convincing to start using Microsoft Defender XDR.
Microsoft Defender XDR has enabled us to discontinue the use of Kaspersky in our safe computers.
Being able to reduce the number of solutions used has been helpful to our security team's operations. The discontinued use of other security products has reduced manual correlation. Using Microsoft has a lot of advantages, especially in management. The reduction in manual correlation is important for our organization.
Microsoft Defender XDR saves our security team around three hours a day.
What is most valuable?
The most valuable features are spam filtering, attachment filtering, and antivirus protection.
What needs improvement?
Microsoft Defender XDR is not a full-fledged EDR or XDR. Any true XDR should be more powerful than what Microsoft is currently providing. For some public-facing companies, computers, and endpoint computers, we need additional security from CrowdStrike or other third-party XDR.
Microsoft Defender XDR does not stop 100 percent of the lateral movement or advanced attacks. Our machines use both Microsoft Defender XDR and Crowdstrike and we have had instances where attacks were missed by Microsoft Defender XDR but caught by Crowdstrike.
For how long have I used the solution?
I have been using Microsoft Defender XDR for four years.
What do I think about the stability of the solution?
Microsoft Defender XDR is stable.
What do I think about the scalability of the solution?
Microsoft Defender XDR is scalable.
Which solution did I use previously and why did I switch?
We previously used Kaspersky, Norton, and CrowdStrike. We switched to Microsoft Defender XDR because of its streamlined management capabilities.
How was the initial setup?
The initial deployment was straightforward. We pushed Microsoft Defender XDR remotely across our system consisting of 300 computers. We are a team of seven people and each of us was involved in the deployment process.
What about the implementation team?
The implementation was done in-house.
What's my experience with pricing, setup cost, and licensing?
Microsoft Defender XDR is expensive.
Which other solutions did I evaluate?
We did not evaluate other security solutions because I have extensive knowledge of most products, their strengths and weaknesses, and their overall capabilities. Additionally, considering all our products are on Microsoft 365, a cloud-based platform, and we already utilize its various components like mail, documents, and more, integrating Microsoft Defender for threat detection and management was a natural choice due to existing ecosystem compatibility and streamlined administration.
What other advice do I have?
I would rate Microsoft Defender XDR an eight out of ten.
Microsoft Defender XDR is deployed across multiple locations and departments.
Minimal maintenance is required for patching.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
Microsoft Defender XDR
June 2025

Learn what your peers think about Microsoft Defender XDR. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
861,390 professionals have used our research since 2012.
Project Manager at Freedom Systems Inc.
A time-saving and easy-to-integrate product that needs to offer a control center to users
Pros and Cons
- "The most valuable feature of the solution stems from the fact that Microsoft Defender XDR is easy to integrate with other Microsoft platforms or products."
- "Generally, antivirus products provide a central control to manage every device in terms of who is installing it or who is trying to disable it, but Microsoft doesn't have such a control center for the antivirus product it provides."
What is our primary use case?
My company operates as a service provider, so we use Microsoft Defender XDR in our office to provide our customers with security services.
How has it helped my organization?
I won't say that the product helped improve how my organization operates, but there is a need to build trust between the user and the product. Microsoft Defender XDR has been used in my organization since we purchased Windows 10 or 11, after which a user does not need to install any products from Microsoft separately. Some of my company's customers insist they want to install antivirus software separately in their environment due to trust issues.
What is most valuable?
The most valuable feature of the solution stems from the fact that Microsoft Defender XDR is easy to integrate with other Microsoft platforms or products. Some other vendors of security products provide great features or capabilities of detection, but the best feature of Microsoft is its integration capability.
What needs improvement?
One important point about the solution that is an area of concern where improvements are required is related to the control center it provides. Generally, antivirus products provide a central control to manage every device in terms of who is installing it or who is trying to disable it, but Microsoft doesn't have such a control center for the antivirus product it provides.
For how long have I used the solution?
I have been using Microsoft Defender XDR for three years. My company has a partnership with Microsoft. My company is also a reseller of Microsoft products.
How are customer service and support?
As a part of Microsoft's attempt to reduce costs, there has been a direct cut down of the local technical support team. Sometimes, you have to use the technical support offered by Microsoft from other countries, but at times, we speak different languages, just like how people speak in Chinese or Mandarin, but there are still some differences between them. The front-line support from Microsoft has only limited technical abilities or access to their internal system. Sometimes, my company cannot even escalate an issue to Microsoft's senior team members.
The support team of Microsoft is nice as they attempt to solve the problems together with you, but I believe that due to some cost-related issues, they don't have enough permissions. Sometimes, users might feel blocked when trying to connect with the support team.
I rate the technical support a seven out of ten.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
My company started with Microsoft Defender XDR when we partnered with Microsoft. Some of our company's customers prefer CrowdStrike, Fortinet, and FortiSIEM.
How was the initial setup?
You don't need to indulge in troubleshooting, making the initial setup phase an easy process because you could just use a GPO on your server to deploy everything. When there comes a problem to onboard some specific devices, and you need to indulge in troubleshooting, sometimes Microsoft Defender XDR's team says it is a problem with the devices a user is trying to onboard, and it's really hard for our company as service providers since we cannot always ask customers to reinstall their server.
What's my experience with pricing, setup cost, and licensing?
Microsoft purposely makes its license combinations complex and includes combinations like Microsoft 365 E3 and Microsoft 365 E5, Office 365 E3, Office 365 E5, and Office 365 E1, so you get confused. Microsoft tries to sell you a bundle of a lot of things together. The licensing model of the product should be made more understandable.
Which other solutions did I evaluate?
There are other good products in the market, and it is difficult to state which one is better since all of them have micro differences in terms of pricing. There may be components like the user interface or maybe some other elements to judge other products, but when it comes to Microsoft, the most important factor stems from the fact that most people use Windows, so it's all integrated.
What other advice do I have?
The product provides unified identity and access management as long as I use all of the products offered by Microsoft.
It is important for me that identity and access management are included within Microsoft Defender XDR because everything is controlled by your identity in the digital world, making it look like a user's government ID in the digital world. My company has tried a lot to talk to and educate our customers since some try not to use a complex password or MFA, which is the most important thing to protect your identity.
Some integration functions in Azure portal allow users to integrate their third-party applications. With the solution, it is not easy to track third-party applications. For transactions recognized by your credentials, it is not easy to track as they would stop, after which we are informed there is a problem. In my organization, we only know how some third-party applications ask to check the credentials, but we don't know what Microsoft Defender XDR does with it, so the product's security doesn't extend beyond just Microsoft technologies.
The product does stop lateral movement and advanced attacks like ransomware or business email compromise. The product blocks a lot of ransomware, which is good. It is considered to be a strict product, so if some of our customers use some local mail service, they have been blocked because Microsoft considers it to be not secure. Microsoft puts a lot of effort into security.
Microsoft Defender XDR's ability to stop attacks covers the product's ability to adapt to evolving threats. It is better to use it as a cloud-based solution that keeps adapting to changes and providing new features.
The product must adapt and evolve to manage threats since there is a new zero-day vulnerability every day, and there is no way to get protection from it. You cannot rely on the users or the admin to upgrade the features daily, so it's better to adopt it automatically with a cloud-based solution like Microsoft Defender XDR.
There were some problems when my organization tried to discontinue other products during the implementation phase of Microsoft Defender XDR since Microsoft tried to integrate all the products in our organization's environment together. If you have used Microsoft Defender XDR, you have to use an antivirus from Microsoft along with Microsoft Identity Platform Endpoint to get the best results. Sometimes, some customers may try to install some third-party antivirus in their environment other than the one provided by Microsoft, which gets blocked. Sometimes, antivirus software from a vendor goes into passive mode. When an antivirus software is in passive mode, some of its advanced features are not usable, causing some problems the user needs to deal with when using it.
The product's ability to save costs depends on how a user looks at a problem while using the solution. I worked as a part of the security team, and we always used to talk to our company's customers. The solution is sometimes like insurance, especially if you want to avoid some bigger problems and you need to spend some money to protect your environment. In some other IT teams or from some other client's point of view, Microsoft Defender XDR costs a lot of money, and they don't see anything. In the security world, no news is good news. You don't want to have to see everything happen and get plenty of alerts trying to prove the product's worth. The product has to control the attack surface so that you won't be attacked that much, or if there are any attacks, it can reduce the impact.
The product definitely saves time for my organization and our company's client teams, especially considering that it is not possible to manually go through the logs every day. The product did help pop up the abnormal activities so that my organization could just review the important things or abnormal activities.
It is hard to say how much time the product saves since it depends on factors like whether you are using some other products or using Microsoft Defender XDR alone. I guess that the product can save over 60 percent of my organization's time. When you use Microsoft Defender XDR in your IT infrastructure, and it works for you, then you just put it in there, and you will come to know when there are some abnormal activities or when you are attacked. With Microsoft Defender XDR, you can get some signs if you are being attacked.
Microsoft Defender XDR is a nice solution and can be combined with other solutions from Microsoft, but they offer limited flexibility. I want the product to be a high surveillance solution for me and not just an information-oriented tool, but nowadays, Microsoft doesn't provide any options to help choose the users' preferences.
I rate the overall product a seven out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer. Reseller
It helps us deal with unknown threats by creating custom policies
Pros and Cons
- "I like 365 Defender's advanced threat hunting. The dashboard is user-friendly with templates for site policies, etc. The most important use case is evaluating the risk links and applications."
- "The cost can be high if you want to build custom license packages. Another area for improvement is the policies. In Azure, we need to implement policies in JSON format, but in 365 Defender 365, it would be helpful to use a different format so we can customize the platform."
What is our primary use case?
We use 365 Defender to manage organization-level devices and vendor security compliance. We are a retail-focused organization that offers cloud services through Azure, GCP, and AWS, but we manage all the security through 365 Defender. Some of our users are based in other countries, and everything is centralized. We operate in multiple regions.
How has it helped my organization?
We can easily track any other malicious activities or additional applications that will prevent it. We can get it here. It will be a helpful tool once we create policies for DLP and third-party programs.
365 Defender stops the lateral movement of advanced attacks. It prevents something that happens on the device level from affecting us on the organization level. The solution enables us to track all the details, like the IPs and the device types.
365 Defender helps us deal with unknown threats by creating custom policies, which enable us to block access by specific unknown sources and unsafe links. 365 Defender has multi-tenant capabilities, and we have multiple tenants, but I'm only involved in the retail part, so I don't have authority over other tenants.
We were able to discontinue some of our other security products when we implemented 365 Defender, but there are some exceptions. We can use non-Microsoft solutions when the customer requires it. Mostly, we use cloud solutions. We've saved some costs on the security side at the organizational level by reducing equipment costs. Using 365 Defender's automation capabilities, we can cut our vulnerability management time by about 40-50 percent.
What is most valuable?
I like 365 Defender's advanced threat hunting. The dashboard is user-friendly with templates for site policies, etc. The most important use case is evaluating the risk links and applications.
What needs improvement?
The cost can be high if you want to build custom license packages. Another area for improvement is the policies. In Azure, we need to implement policies in JSON format, but in 365 Defender 365, it would be helpful to use a different format so we can customize the platform.
For how long have I used the solution?
I have used 365 Defender for more than two years.
What do I think about the stability of the solution?
365 Defender can have some performance issues during enrollment. It can take a while at times, but sometimes it's duplicated immediately. That's an issue with some other cloud-based programs like Intune and Azure products.
How are customer service and support?
I rate Microsoft 365 Defender support nine out of 10. Their support representatives provide solutions based on priorities. They prefer to follow the proper SLA part.
How would you rate customer service and support?
Positive
How was the initial setup?
The deployment is quick, straightforward, and involves only two people.
What's my experience with pricing, setup cost, and licensing?
Sometimes 365 Defender is expensive, but it can be moderate, depending on the organization's size and the license type. We're satisfied with the cost because it gives us a product that protects our entire environment with DLP. To compromise some cost, of course, we are to complete the most secure environment.
What other advice do I have?
I rate 365 Defender nine out of 10.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Cloud Security Engineer at Dialog Axita PLC
Offers antiphishing, antispam, and stage three antivirus but has poor support
Pros and Cons
- "All of the security components are valuable including, antiphishing, antispam, and stage three antivirus."
- "The support team is not competent or responsive."
What is our primary use case?
Microsoft 365 Defender is used for our threat policies, configuration, and security protection.
How has it helped my organization?
The current level of threat visibility is good.
Microsoft 365 Defender helps prioritize threats across our enterprise which is important for our organization.
The mail component within our organization is the most critical part and Microsoft 365 Defender plays a big part in protecting that component.
We have integrated Microsoft 365 Defender with Defender for Cloud, and Sentinel. Integrating the solution with Defender for Cloud is easy.
The integrated solutions work natively together to deliver a coordinated detection and response across our environment which is important for our organization.
The comprehensiveness of the threat-protection that Microsoft products provide is good.
The bidirectional sync capability of Defender for Cloud is important for our organization.
The bidirectional sync of Defender for Cloud helps us secure our network.
Microsoft Sentinel allows us to investigate data from our entire ecosystem.
The ingestion of data to our security operations is critical and Sentinel does a better job than the other solutions we tried.
Microsoft Sentinel enables us to investigate threats and respond holistically from one place which is important for us.
The built-in UEBA and threat intelligence capabilities are good.
Microsoft 365 Defender helps our organization by detecting false positives.
Our Microsoft security solutions help automated to retain tasks and help automate the finding of high-value alerts.
The automation has helped us with our playbook.
The solution has helped eliminate multiple dashboards by providing one XDR dashboard.
Having one XDR dashboard allows us to react to threats faster.
Microsoft 365 Defender's threat intelligence helps us prepare proactively for potential threats before they hit.
Microsoft 365 Defender has saved us between one and three months of time.
Microsoft 365 Defender has saved us time to detect and respond.
We have saved a significant amount of money with the implementation of Microsoft 365 Defender. Prior to using this solution, we encountered costly incidents.
What is most valuable?
All of the security components are valuable including, antiphishing, antispam, and stage three antivirus.
What needs improvement?
Additional visibility into log analytics would be beneficial. For instance, if an attachment was affected by malware, it would be helpful if Microsoft 365 Defender could provide more specific details about the origin of that particular malware, such as where it originated from. Any additional information in this regard would be greatly appreciated.
The integration of Microsoft 365 Defender with Sentinel is a bit complex when integrating custom connectors.
The cost of using Microsoft Sentinel is dependent on the size of the data the solution will ingest. I would like Microsoft to provide proper guidance on the sizing so we know what we will be spending.
Technical support has a lot of room for improvement. The support team is not competent or responsive.
For how long have I used the solution?
I have been using the solution for one year.
What do I think about the stability of the solution?
Microsoft 365 Defender is stable.
What do I think about the scalability of the solution?
Microsoft 365 Defender is scalable.
How are customer service and support?
The quality of technical support we receive is poor. We encounter difficulties while dealing with the support team, even for critical incidents. Moreover, we always receive a response from the same engineer. However, they are not cooperative in using Microsoft Teams or joining a call with our clients.
How would you rate customer service and support?
Negative
How was the initial setup?
The initial setup is straightforward. The deployment was completed by two people and required seven to eight days.
What about the implementation team?
The implementation was completed in-house.
What's my experience with pricing, setup cost, and licensing?
The licensing fee for Microsoft 365 Defender is fair.
What other advice do I have?
I give the solution a seven out of ten.
The solution is deployed across multiple locations.
We have 5,000 users.
We have three administrators for the solution.
When an organization is already using other Microsoft solutions it is best to use Microsoft 365 Defender because of the seamless integration.
Microsoft 365 Defender is not difficult to implement and can be utilized by anyone.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Security Consultant at G.Network
Effective OS threat detection with room for enhanced threat hunting capabilities
Pros and Cons
- "Vulnerability assessment and just-in-time access are some valuable features of Defender for server plans."
- "Vulnerability assessment and just-in-time access are some valuable features of Defender for server plans."
- "Microsoft could improve on threat hunting and build more on threat detection and handling."
- "Microsoft could improve on threat hunting and build more on threat detection and handling. The cybersecurity and cloud security posture features are a bit lesser than standard security products."
What is our primary use case?
We are yet to use Microsoft Defender XDR for ourselves as we are yet to procure the product.
What is most valuable?
Vulnerability assessment and just-in-time access are some valuable features of Defender for server plans. Additionally, the threat detection at the OS level is a very good feature of Defender.
What needs improvement?
Microsoft could improve on threat hunting and build more on threat detection and handling. The cybersecurity and cloud security posture features are a bit lesser than standard security products.
For how long have I used the solution?
We have not yet used Microsoft Defender XDR as we are yet to procure the product.
Which solution did I use previously and why did I switch?
I was working with CrowdStrike before Microsoft Defender XDR. CrowdStrike has advantages in terms of threat hunting.
What was our ROI?
We are doing it for the first time, so I have nothing to compare in terms of ROI.
What's my experience with pricing, setup cost, and licensing?
The pricing is a little high, however, it is on par with other competitive tools in the market.
Which other solutions did I evaluate?
I have not evaluated other XDR solutions besides CrowdStrike.
What other advice do I have?
I would recommend Microsoft Defender XDR to others as long as they are aligned with Microsoft products, cloud, or on-prem, especially if they are using Microsoft Windows architecture. I would rate Microsoft Defender XDR six out of ten overall.
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Last updated: Nov 24, 2024
Flag as inappropriateNetwork & Security Manager at SNP Technologies, Inc.
Combined with Sentinel, we get a wholesale view over entire infrastructure
Pros and Cons
- "The most valuable feature is the DLP because that's where we can have an added data protection layer and extend it not just to emails but to the documents that users are working on. We can make sure that sensitive data is tagged and flagged if unauthorized parties are using it."
- "There is definitely scope for improvement in the automation area. Because the solution is a SaaS platform, we don't have the overall ability to automate stuff.... There is no direct way to go ahead because it's a SaaS platform."
What is our primary use case?
We use 365 Defender with Outlook, Teams, and SharePoint. Our organization extensively uses these products as do the clients we serve. Our goal is to secure those email, SharePoint, and Teams environments.
How has it helped my organization?
Our Microsoft security solution has helped eliminate having to look at multiple dashboards. For a wholesale view over the entire infrastructure, Sentinel is the place to go. But M365 Defender alone only covers 30 to 40 percent of the infrastructure.
We have saved a lot of time compared to having to do tasks with other tools. With Microsoft, it's easier for us to manage and handle them. It saves us about 40 percent of the time it would have taken us. That includes the automating of detection and response.
What is most valuable?
The most valuable feature is the DLP because that's where we can have an added data protection layer and extend it not just to emails but to the documents that users are working on. We can make sure that sensitive data is tagged and flagged if unauthorized parties are using it.
The information that the solution provides is pretty clear because I have an overall picture from the compliance dashboard, which is now called the Azure Purview Compliance dashboard or manager. It has all the information, including the DLP information, sensitive data being shared, threat protection, and attacks. All of that is on a single dashboard where I see what the state of security is.
We use the entire suite of Purview features, including Sentinel, Defender for Cloud Apps, Defender for Endpoint, and even new features like Microsoft Defender for DevOps. Sentinel is the out-of-the-box SIEM tool that should definitely be used for more visibility on the M365 side. Of course, we have the compliance dashboard, but Sentinel acts as the single point of contact for visibility into all devices. That way we can see, if there are any threats or vulnerabilities, what the dependent resources are. Sentinel helps give us that bigger picture. We also use Defender for Identity and Defender for Cloud, with different features for the different aspects within the cloud, such as various servers and DNS, et cetera.
With its different connectors, Sentinel enables us to collect data from our entire ecosystem. All the logs are injected into a workspace in Sentinel where Sentinel can analyze them. If we unlock the Microsoft threat intelligence program, which is part of Sentinel, we can investigate threats and respond holistically from one.
Integrating these products is pretty simple. Microsoft Sentinel integrates really fast. Obviously, it's from the same stack so it's easy for us to integrate with just the click of a button. The connectors then help us integrate these services.
If we have all these products in use, we can achieve a 90 to 95 percent security maturity model, without requiring any other vendors' solutions to protect resources.
What needs improvement?
There are two areas where I feel there is no Microsoft solution. One is vulnerability management, where Microsoft is partnered with Qualys. The other is a penetration testing tool on the preventive side. That would be more for an ad hoc request and not for everyday functions. Apart from these, all the other areas can be covered with Microsoft solutions.
There is definitely scope for improvement in the automation area. Because the solution is a SaaS platform, we don't have the overall ability to automate stuff. By integrating Microsoft 365 Defender with Sentinel, we can definitely automate things. We can leverage playbooks, and execute Terraform scripts. But directly automating tasks in the 365 Defender is something we have to do with PowerShell, which is then connected to Exchange Online. There is no direct way to go ahead because it's a SaaS platform. But if you integrate it with Sentinel, where all the alerts are created and action needs to be taken, it is pretty comfortable for automation.
Also, I would like to see it be a lot less policy driven. On the M365 side, there are a lot of policies that we need to enable to achieve a certain task. There is no direct solution; rather, there are a lot of workarounds.
I understand that Microsoft is dealing with a lot of tools at once and having a direct solution is not viable. But I would hope that Microsoft can improve that side of it.
For how long have I used the solution?
I have been using Microsoft 365 Defender for more than five years.
What do I think about the stability of the solution?
It's a pretty stable solution and in terms of the SLAs it is pretty good. When it comes to applying policies and the standard documentation that Microsoft provides, everything works according to that. I would rate the stability a nine out of 10.
What do I think about the scalability of the solution?
It surely is a scalable solution, being a service that Microsoft offers.
How are customer service and support?
The technical support is not great. I have been working with these Microsoft products for quite some time, and I have raised issues and contacted them. Every support case I have raised has needed escalation. From my experience, the first-line support team doesn't have anything other than out-of-the-box solutions. Everything with that level of support is pretty standard, SOP-driven, and documentation driven. That is nice, but only to a certain point. When we are talking about the SOP that a level-one engineer does, that's when the support is very poor.
How would you rate customer service and support?
Negative
Which solution did I use previously and why did I switch?
We previously had on-prem solutions. For Exchange and for endpoints, we used to have McAfee, but that was more than five years ago. Previously, Defender for M365 used to be ATP, Advanced Threat Protection, and that's when we started using it.
Previously, we had many things on-prem, such as Exchange Servers, SharePoint, and database servers. But as Microsoft drove toward cloud-native solutions and moved Exchange, SharePoint, and Dynamics 365 online, moving to M365 was a part of the move.
How was the initial setup?
There is no straightforward solution with Microsoft. There are definitely a few restrictions and limitations. We should go ahead and call that out and there were definitely challenges.
The major challenge was moving the mailboxes from on-prem Exchange to Exchange Online. That was not straightforward because the goal was not to lose any emails, and that certain format-related issues be taken care of.
We followed a waterfall method with a proper plan of action. We performed a PoC first, to make sure that the test users were migrated successfully. Once that was done, we did a proper plan in terms of department hierarchy for migrating our departments and detailed a plan of action in case there were any failures. We then did a proper pilot where we chose about 25 mailboxes for migration, and then we went ahead and migrated everyone.
One of the reasons it took six months was there were only five of us involved.
Because it is a SaaS service, Microsoft promises three nines of uptime. There is no maintenance on our side.
What was our ROI?
We are seeing a return on investment compared to the same types of solutions that we used to have five years ago. We would have spent more than what we are spending right now. It's not just about the licensing, it's also about the team that manages it and the operations side of it. But compared to how things were, the return on investment has been positive.
I doubt that we are saving money with this solution because all the features are only available with a Microsoft 365 E5 license, which is the highest. And that doesn't come cheap because it's on a per-user basis. If there are 1,000 users, you are investing a lot.
What's my experience with pricing, setup cost, and licensing?
The pricing model of Sentinel is entirely different from any other standalone SIEM tool. Other tools work on a licensing model with a fixed price based on the different modules that are enabled. Sentinel is not a fixed price. It depends on how much data is injected into it. With Microsoft, if there are 100 GB per month, it's about $2.30 per GB, or around $2,000 on a monthly basis. Compared to a fixed licensing cost, where organizations know that there is a certain budget they need to put aside for the license, on the Microsoft side, we really can't anticipate the cost.
The pricing of Microsoft 365 Defender is definitely on the costly side, but with the features and services that Microsoft provides, such as the seamless integration of all the Defender tools, while the price is on the higher side, there is no alternative.
What other advice do I have?
My advice would be to try out Microsoft and compare it with other vendors. If your vision for Microsoft includes needing customizations and a lot of use cases, I don't think Microsoft M365 would support that. Where Microsoft shines is the seamless integration and dealing with less configuration management. But at the same time, organizations are adopting other solutions, such as Linux, and they want customization and that is not possible on the Microsoft side.
Microsoft 365 Defender helps prioritize threats to the enterprise, but not alone. Rather, it is through combining it with other Defender products like Defender for Cloud Apps and Defender for Endpoint. All these, in combination, can provide really good security, visibility, and threat protection against any vulnerabilities or threats. But with just M365, our hands are tied with the scope, which is limited to emails, Teams, and SharePoint.
We can't 100 percent automate things, but we can automate about 80 percent of our tasks. It has made life easier. But, at the same time, if a scenario is not something that repeats, performing an activity automatically would reduce the time spent, but not by that much. We have automated a few areas for things that occur on a regular basis, but at the same time, we come across situations now and again that we think about automating, but we also think about the effort that we would have to put into doing so. Will it be a recurring solution or not?
There are also some advancements that Microsoft has launched to automate threat surface reduction, some features that we could try to help us analyze steps to be taken before an attack happens, but nothing that I have tried yet.
Hypothetically, when looking at whether a single vendor or a best-of-breed strategy is best, being an architect the last couple of years, what I've seen is that having a multi-vendor system is definitely a good approach rather than going with a single vendor solution. Even though Microsoft has all these tools, we can't achieve 100 percent security. There are the areas for improvement that I mentioned, where Microsoft doesn't have a single solution, like pen testing and vulnerability management. My suggestion is always to go with a multi-vendor solution. Microsoft might reach a level where, at a certain point, they will have 100 percent coverage, but my approach would still be multi-vendor.
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Owner at a consultancy with 11-50 employees
Offers capabilities that other solutions don't offer
Pros and Cons
- "The feature I find most valuable is Defender for Endpoint."
- "The licensing process needs improvement and clarification, as it is currently difficult to understand which features are licensed to which users."
- "The licensing process needs improvement and clarification, as it is currently difficult to understand which features are licensed to which users."
What is our primary use case?
Our primary use case for Microsoft Defender XDR is to serve as our email security solution, offering file protection, scanning, alerts, and incident management. It is a part of every Microsoft 365 deployment we do.
How has it helped my organization?
The integration of Microsoft products simplifies management, reporting, and investigations. It offers capabilities that other solutions don't offer.
What is most valuable?
The feature I find most valuable is Defender for Endpoint. It's because endpoint management is my primary focus, and this feature integrates well with my other skills.
What needs improvement?
The licensing process needs improvement and clarification, as it is currently difficult to understand which features are licensed to which users.
For how long have I used the solution?
I've been using Microsoft Defender XDR for about ten years since it was known as Office 365 Advanced Threat Protection.
What do I think about the stability of the solution?
I have no concerns about the stability of Microsoft Defender XDR.
What do I think about the scalability of the solution?
We are only a small organization, and our operations don't even challenge Microsoft Defender XDR's capabilities.
How are customer service and support?
The customer service and support have been good. Whenever it is needed, they are fast to respond.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We used various solutions over the years, but since then, we've been using the Defender variants.
How was the initial setup?
The initial deployment was straightforward.
What about the implementation team?
We implemented Microsoft Defender XDR ourselves in-house.
What's my experience with pricing, setup cost, and licensing?
There are no issues with pricing, but sometimes, the clarity in licensing is a concern. I still need to verify what's included with each license occasionally.
What other advice do I have?
I would rate Microsoft Defender XDR a ten out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Last updated: Nov 30, 2024
Flag as inappropriate
Buyer's Guide
Download our free Microsoft Defender XDR Report and get advice and tips from experienced pros
sharing their opinions.
Updated: June 2025
Product Categories
Extended Detection and Response (XDR) Endpoint Detection and Response (EDR) Microsoft Security SuitePopular Comparisons
CrowdStrike Falcon
Microsoft Intune
Microsoft Defender for Endpoint
Fortinet FortiEDR
Microsoft Defender for Office 365
Microsoft Sentinel
Microsoft Entra ID
Microsoft Defender for Cloud
SentinelOne Singularity Complete
Microsoft Purview Data Governance
IBM Security QRadar
Cortex XDR by Palo Alto Networks
HP Wolf Security
Elastic Security
Buyer's Guide
Download our free Microsoft Defender XDR Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the best EDR or XDR product for a company with 9000 employees?
- When evaluating Extended Detection and Response (XDR), what aspect do you think is the most important to look for?
- How do you decide about the alert severity in your Security Operations Center (SOC)?
- Which is better for Endpoint Security: EDR or XDR solutions?
- What are the main differences between XDR and SIEM?
- Why is (XDR) Extended Detection and Response important for companies?
- How do you use the MITRE ATT&CK framework for improving enterprise security?
- What tools and solutions do you use for automated incident response in an enterprise in 2022?
- FortiXDR vs Cortex Pro - which is the best?
- What is Cognitive Cybersecurity and what is it used for?