Microsoft Defender XDR Licensing

There is confusion about the licensing requirement associated with Microsoft Defender XDR

The following is a collection of related items placed in the order to make licensing requirement clear to the reader.

Microsoft Defender XDR (formerly Microsoft 365 Defender)

Source <https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-xdr>

Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Microsoft Defender XDR services protect:

• Endpoints with Defender for Endpoint – Defender for Endpoint is a unified endpoint platform for preventative protection, post-breach detection, automated investigation, and response.
• Assets with Defender Vulnerability Management – Microsoft Defender Vulnerability Management delivers continuous asset visibility, intelligent risk-based assessments, and built-in remediation tools to help your security and IT teams prioritize and address critical vulnerabilities and misconfigurations across your organization.
• Email and collaboration with Defender for Office 365 – Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools.
• Identities with Defender for Identity and Microsoft Entra ID Protection – Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Microsoft Entra ID Protection uses the learnings Microsoft has acquired from their position in organizations with Microsoft Entra ID, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users.
• Applications with Microsoft Defender for Cloud Apps – Microsoft Defender for Cloud Apps is a comprehensive cross-SaaS solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps.

Source: <https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-365-defender?view=o365-worldwide>

Here’s a list of the different Microsoft Defender XDR products and solutions that Microsoft Defender XDR coordinates with:

• Microsoft Defender for Endpoint
• Microsoft Defender for Office 365
• Microsoft Defender for Identity
• Microsoft Defender for Cloud Apps
• Microsoft Defender Vulnerability Management
• Microsoft Entra ID Protection
• Microsoft Data Loss Prevention
• App Governance

Source: <https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-365-defender?view=o365-worldwide>

Microsoft Defender XDR Licensing Requirements

Any of these licenses gives you access to Microsoft Defender XDR features via the Microsoft Defender portal without additional cost:

• Microsoft 365 E5 or A5
• Microsoft 365 E3 with the Microsoft 365 E5 Security add-on
• Microsoft 365 E3 with the Enterprise Mobility + Security E5 add-on
• Microsoft 365 A3 with the Microsoft 365 A5 Security add-on
• Windows 10 Enterprise E5 or A5
• Windows 11 Enterprise E5 or A5
• Enterprise Mobility + Security (EMS) E5 or A5
• Office 365 E5 or A5
• Microsoft Defender for Endpoint
• Microsoft Defender for Identity
• Microsoft Defender for Cloud Apps or Cloud App Discovery
• Microsoft Defender for Office 365 (Plan 2)
• Microsoft 365 Business Premium
• Microsoft Defender for Business

 Microsoft Defender for Endpoint Plan 1 and Plan 2:

1. Microsoft Defender for Endpoint Plan 1 includes core features such as next-generation protection, vulnerability management, and attack surface reduction. It is designed to provide robust antimalware and antivirus protection. However, it does not include advanced features like EDR or automated investigation and remediation.

1. Microsoft Defender for Endpoint Plan 2 builds upon Plan 1 by adding advanced capabilities. It includes everything in Plan 1, plus features like EDR, automated investigation and remediation, threat analytics, and advanced hunting. It provides comprehensive protection against security breaches and attacks.

Microsoft Defender for Endpoint extends its support to include the Windows Server operating system. This means you can use it to protect your Windows servers effectively. 

• Integration with Microsoft Defender for Servers: Microsoft Defender for Endpoint seamlessly integrates with Microsoft Defender for Servers. This integration allows you to:
• Automatically onboard servers: You can have servers monitored by Microsoft Defender for Cloud appear in Defender for Endpoint.
• Conduct detailed investigations: As a Microsoft Defender for Cloud customer, you can investigate threats and incidents on your servers using the Defender for Endpoint console.
• Advanced attack detection: Defender for Endpoint provides deeper insight into server activities, including coverage for kernel and memory attack detection.
• Response actions: You can take response actions directly from the console.
• Windows Server Versions Supported:
• Windows Server 2012 R2 and Windows Server 2016: You can either manually install/upgrade the modern, unified solution on these machines or use the integration to automatically deploy or upgrade servers covered by your respective Microsoft Defender for Server plan.
• Windows Server 2019 and Windows Server 2022: These versions fully support Defender for Endpoint.
• Windows Hyper-V Server editions are not supported.

Additional Resources:

• Evaluate and pilot Microsoft Defender XDR security, an XDR solution that unifies threat data so you can take action. | Microsoft Learn
• Alerts and incidents in Microsoft Defender XDR – Microsoft Defender for Cloud | Microsoft Learn