Microsoft Defender for Office 365 Reviews

We're an MSP, and we deploy security solutions to our clients based in the UAE. We are currently implementing the product ourselves and developing the capacity to deploy it to our clients. We have around 200 total end users. 

In addition to Defender for Office 365, we also use Defender for Cloud and Microsoft Sentinel. The products are integrated.    

The integration was straightforward, as most of our clients and we operate an Azure environment, so integration is usually as simple as a few clicks.

Defender for Office 365 helps automate routine tasks and find high-value alerts, which we can do using Azure Logic Apps. We can create operations, automate them, and make a workflow using automation. One of our clients didn't have the budget to invest in a SOC team, but we deployed the solution for them, and they now run a SOC with only one analyst. They can achieve this kind of maturity through the product's automation.   

The solution's threat intelligence helps prepare us for potential threats before they hit and take proactive steps. Sentinel also features robust threat hunting, which provides indicators of possible attacks and is beneficial information to have.   

Defender for Office 365 saved us time, we have seen many improvements to the product, and Microsoft regularly brings out new features. The tool is at a good point right now and is on the path to improvement. Time saved is in the region of 30-40%.  

It decreased our time for detection and response, especially with its SOAR capabilities. We can activate automated runbooks in a few clicks and block a malicious or unauthorized user in a single click. We rapidly receive alerts, which reduces our response time such that what once took at least an hour can now be resolved in minutes.   

The email protection is excellent, especially in terms of anti-phishing policies. 

The solution's information protection around sensitive labels and compliance-related security features are also very valuable.

Defender for Office 365 provides excellent visibility into threats; we can see the attacks and phishing campaigns running against our users from the portal.  

The product helps us prioritize threats across the enterprise, which is essential because most of our clients come to us with alert fatigue. They have so many alerts they often need help determining which ones to work on, and the solution's threat prioritization helps us narrow that down.  

The comprehensiveness of the threat protection provided by Microsoft security products is excellent; we wouldn't use any other third-party security solutions, and it all comes packaged with Azure or an E5 license.    

Microsoft Sentinel enables us to ingest data from our entire ecosystem, which is vital because when we deliver security products for clients, one of their primary requirements is to collect all the on-prem logs and put them in the cloud. Sentinel is capable of this and requires some expertise to operate in this way. 

Sentinel allows us to investigate threats and respond holistically from one place; that's what it's built for. We work offsite as we aren't in the same region as our clients, so the ability to respond remotely is essential to us.  

Several simulation options are available within 365, and the phishing simulation could be better.

I want to see improvements that will make the tool easier to operate. 

We've been using the solution for one year. 

The product is stable. 

Defender for Office 365 is scalable. 

We never had to contact technical support. When we encounter an issue, we can search for a solution on the internet or YouTube, for example, for specific configurations. There's excellent community support available.

We didn't previously use a different solution. When I joined the company, we were and remained Microsoft Gold Partners, so we don't have any other third-party tools.

I wasn't involved in the initial setup, and the solution is lightweight in terms of maintenance. A yearly configuration review is sufficient. 

Defender for 365 comes in various plans and licenses, along with other Microsoft security solutions. Purchasing this kind of package or security bundle gives good value for money, and that's what I recommend.

To a colleague who says it's better to go with a best-of-breed strategy rather than a single vendor's security suite, in terms of pricing, it's better to get a good package for security solutions from one vendor rather than multiple vendors.  

I rate the solution eight out of ten.

Multiple integrated Microsoft solutions work natively together to deliver coordinated detection and response across our environment, and we Microsoft Sentinel to our clients. It's a SIEM tool, and once we configure Defender, we can push alerts to Sentinel, which is valuable.   

We leverage Sentinel's SOAR capabilities with the help of Logic Apps, and many libraries are available to make automation easier. However, some complexity is involved in developing Logic Apps, so it requires some expertise.

It allows us to effectively detect and manage malicious URLs within emails. This proactive approach allows your team to identify and resolve security incidents promptly. We optimize our security by incorporating Microsoft's IOCs into both Defender for Office 365 and endpoint protection. This integration prevents our devices from accessing known threats, saving significant time weekly. Centralized management of threat indicators proves highly efficient, potentially saving hours. This comprehensive strategy enhances our proactive security measures across our systems.

When dealing with a large volume of emails, whether received or sent by users, Defender solutions, particularly Threat Explorer, prove to be highly effective. In instances where users may have inadvertently interacted with potentially harmful emails, it enables me to isolate and analyze these emails by placing them in a secure sandbox environment. This insight is crucial for addressing incidents promptly and collaboratively, fostering a cooperative approach to resolving potential security issues within the organization. In Defender 365, we've implemented a dual-pronged approach for automating tasks and managing security incidents. When alerts like a user clicking on a malicious URL occur, data is directed to Sentinel or Log Analytics. A logic app is then employed to analyze the user's actions using Defender for Endpoint, tracking device activities, and making informed decisions. This integrated system enables us to swiftly identify, analyze, and respond to security incidents, enhancing our ability to manage and mitigate potential threats effectively. It has significantly reduced our time to detect and respond to security incidents. While I don't have an exact figure, the impact has been substantial. By consolidating multiple solutions into logic apps and gaining visibility, we can now respond much more efficiently than before. Without this integrated approach, lacking visibility hampers our ability to identify and address potential threats promptly.

Threat Explorer is an invaluable tool for me, and it plays a crucial role in helping me discern the origins of various email campaigns, pinpointing where they emanate from, and identifying the individuals within our organization who are affected. The convenience of having a centralized location for extracting comprehensive data is particularly noteworthy. With Threat Explorer, I can efficiently manage and mitigate the impact of these campaigns by removing problematic emails from mailboxes, all in one centralized location, eliminating the need to navigate through multiple areas. Effectively prioritizing threats across our enterprise is crucial for us, given that the primary avenue of attack is often through phishing emails. By having robust protection in place, we're able to significantly mitigate this prevalent threat, essentially clearing a major portion of the cybersecurity landscape.

There's room for improvement regarding the time frame for retrieving emails. Currently, the limitation allows users to go back only thirty days when pulling emails or conducting related actions. Enhancing this capability to extend the timeframe, perhaps to sixty or ninety days, would be beneficial.

I have been working with it for three years.

It has been reliable. I haven't encountered any instances of downtime or significant bugs; occasionally, signing out and back in resolves minor issues.

In terms of scalability, our institution has expanded with more students and staff, and we haven't experienced any performance issues with Defender for Office 365. It has proven to be effective and adaptable to the growth of our organization. We currently have approximately four thousand staff members.

The support team, not only for Defender for Office 365 but for any issues I've encountered, has been exceptional. Whether reaching out through email or submitting a support ticket, I typically receive a callback within hours. I've never personally faced any challenges in contacting Microsoft support—they've consistently been prompt and responsive. The account managers, or whatever they're officially called, have been quick to answer and address any inquiries, making the support experience highly satisfactory. I would rate it ten out of ten.

Positive

I would highly recommend it as it offers numerous features that can significantly enhance your security posture. Overall, I would rate it ten out of ten.

We use Microsoft Defender for Office 365 for protection. 

Microsoft Defender for Office 365 has improved my organization's security. It makes it easier to manage the infrastructure without the help of third-party applications. 

The product helped us maintain collaboration and communication during the pandemic with the help of Teams. 

Microsoft Defender for Office 365 must improve the overall management style, including the GUI. It also needs to change the filters so that it is easy to whitelist and blacklist data. 

I have been using the product for six years. 

The product is stable. I rate it a ten out of ten. 

Microsoft Defender for Office 365 is scalable. I rate it a ten out of ten. 

The tool's support is good. 

Positive

Microsoft Defender for Office 365 is expensive but does what it says. 

Microsoft Defender for Office 365 is efficient and picks up threats before they pass on to the systems. 

The tool's automation has made us more efficient in our daily tasks. 

The solution saves much time since you don't have to reimage the computer after an attack. 

Our primary use case is for features like mail protection and preventing impersonation. It has extended the protection for the user.

What I don't like about Microsoft Defender for Office 365 is that many of the features should be default. They should be included, not optional, like other vendors provide.

I have been working with Defender for Office since the beginning. It's been evolving all the time.

I would rate the stability an eight out of ten. We noticed that from time to time, Microsoft does have problems. Sometimes the service goes up and down. Sometimes they change without prior notice. 

It is a scalable solution. Our organization has around a thousand users using Microsoft Defender for Office 365. 

Sometimes it's good. Sometimes it's bad. It's up and down.

The initial setup is straightforward. You just add the license, click it, and then you can set up the rules. It is quite simple. 

You can set it up in-house. 

The pricing has become expensive. 

Some customers want to use a monthly payment, but Microsoft recently changed its license policies. So we are encouraging most users to pay annually.

Overall, I would rate the solution a nine out of ten. I would definitely recommend using the solution. 

We have started using Defender on our endpoints, together with the basic Defender for email. We placed Defender on our endpoints through our XDR solution. It's connected to our SOC and the SIEM.

The fact that it's easy to integrate and implement has helped us to move forward with our project.

Also, on the clients, we have implemented automated identification and blocking, and these help our SOC team avoid doing manual work.

It gives us visibility into threats and, for endpoints, it helps us to prioritize threats. We used to have a lack of visibility, but now our time to detect and respond has decreased.

Also, in the beginning, Microsoft Defender for Office 365 saved us time because we had started a completely new company. Now that we are more established, we need another, more advanced solution with more machine learning and artificial intelligence related functionality.

About eight months ago, we started to measure the quantity of phishing and spam that we have been receiving, and it has been increasing a lot. That means that protection for our email is not as good as we were expecting.

Now that we have more visibility into threats, our orientation is to have a more top-market solution to give us more visibility and easier ways to respond to the threats that we find and also to identify threats better.

It is not really straightforward to get a lot of information from Microsoft Defender, so we have had to use Microsoft Graph to create some custom views to export custom information.

I have been using Microsoft Defender for Office 365 for four years.

The stability is really good. We have never had any problems related to Defender.

The scalability is also very good. It's easy to increase usage, but that's expected.

We are a multinational company, so we have multiple locations, including Brazil and several countries in Europe. We have about 470 end-users.

The technical support is really good. 

Positive

We used Symantec when we were part of a big company. We decided to use Microsoft because it is a fully integrated solution and was embedded in our licenses. We did not take into consideration all the features.

Our company was sold by that big company that we used to be part of and we then consolidated and created a new company about four years ago. We wanted to move forward, as fast as possible, with as much security as possible.

It was really straightforward to set up. We implemented it on our endpoint devices, and then we configured a lot of policies to manage and avoid threats, as well as policies for phishing and the cloud.

The maintenance is mostly related to fine-tuning phishing and other issues and is handled by one or two engineers, but it's not needed frequently.

It was done in-house, with two or three of our resources.

It is much more expensive than using another solution because we have had to include some options and upgrade our license. Be aware of the licensing model, because for certain features you need a different level of licensing.

We did not look at other options. The main reason we went with Microsoft was because of the complete integration.

If I were asked whether to go with a single vendor or multiple vendors for security, I would say use multiple vendors. We are using Microsoft for collaboration, email, chat, and security. It's like having the wolf secure your house. Having different vendors would help give you different visibility and data and different people managing different solutions.

The big things we take advantage of are Safe Links for Teams, SharePoint, and Email. We have office locations all over the world. We are in New Zealand, Africa, Europe, the USA, and South America. We have deployed the license for every single person with a mailbox.

Since we have started using the solution, there have been fewer compromises. We're more secure having Safe Links.

It is a high-impact tool. It keeps users from doing anything wrong.

The product must provide better malware detection. The detection algorithms don't perform the way I hope they would.

I have been using the solution for three years.

The tool has 100% stability. It has never been down.

The tool is deployed globally in our tenants. It is scalable. We have about 5500 licenses.

Most of the time, I can get what I need from the support. Sometimes, it is a hit or miss. It is not always straightforward. I often state my problem clearly, and then the support person asks me to explain it again. They must read what I've already written when I opened the ticket. All the details are right there. Far too often, the support personnel do not read the ticket I raise.

Neutral

The initial deployment was pretty simple. We were already under a microscope, so we were pressured. I had to learn what I wanted. We had to deploy the product quickly. We use both AWS and Azure as our cloud providers.

The pricing is too much compared to other security products that do the same things. The product is very expensive. I have a hard time demonstrating more value out of it.

We didn't evaluate anybody else. We had been compromised, so we decided to buy the product.

We get a lot of good visibility. When we look for something, it's pretty easy to see the IP from which the user signed in. We get to know where the person is logging in from. It lets us know quickly whether a particular IP should be logged in at a particular time.

The solution does not help us prioritize threats. It helps us mitigate some of the threats we identify. I don't think prioritization is important. Whoever makes the most has the highest priority.

The solution’s threat intelligence helps us take proactive steps, especially with Safe Links. It helps us track down and look at logs, see what document libraries a threat might have gone to, and try to review the exposed data and potentially exfiltrate it.

The solution has saved my company's money. The tool has decreased our time to respond by a couple of hours per incident. I don't have to involve my network or security teams. We could click through to determine whether an access is legitimate. There may be more cost-effective solutions in the market.

Overall, I rate the solution a nine out of ten for its functionality.

We use Defender for Office for its five core features: anti-phishing, malware, link scanning, attachment scanning, and anti-spam.

We switched from Mimecast to Defender, and it's been a massive difference. Mimecast is convoluted, obtuse, and frustrating. That's not the case for Microsoft 365. Mimecast has more false positives, and the link-scanning feature requires you to authenticate devices every time you use the solution, which is untenable if you're on your phone. It's just not possible. 

If you're trying to look up a PDF that somebody sent, and a safe link is embedded in that, Mimecast and Microsoft write it into the "send" box. However, Microsoft is much better because you are already authenticated, so you don't need to re-authenticate again. Mimecast makes you reauthenticate every time.

It gives us one admin portal to see the things we need, which has made life for my admin team easier. I estimate it saves us about an hour or two a week. It saves the clients money because my team spends fewer hours doing tasks each week. 

The most valuable feature is protection against malicious links, fishing, and impersonation. You can train people to be aware of these threats, but they're not always careful. When they're using their phones between meetings, they click on a link, and it's game over. 

Impersonation detection is also crucial because attackers are increasingly advanced. They keep changing their tactics and adapting. People are getting emails with display names that look like people from their organization. SDF records, DMARC, and all that stuff don't always work because people often ignore email addresses. We have also used the phishing simulation component. That's pretty good.

The only thing they should improve is the licensing model. They should stop changing it. A year ago, the five features I mentioned were included in one product. Now, three of them are bundled into one product, and you have to pay extra for the other two. I don't mind paying extra, but I don't want them to change it every year or every six months. I need to know what I'm looking at and not worry about it next year.

I've used Defender in production for about a year.

Defender is stable. 

The number of users isn't significant, so I'm not worried about scalability.

Deploying Defender is a two-person job. You don't have to do much to maintain it per se. You occasionally get tickets from users who expected an email that got quarantined. You need to pay attention to that. You'll get access when you get a false positive, and you need one help desk person to look into it. There's no maintenance outside of that. 

Defender is cheaper than Mimecast in the long run, so there are savings, if not a return. It's like proving a negative. We haven't been hacked, so I don't know if that's worth anything.

The price is reasonable. 

I rate Defender for Office 365 a nine out of ten. If you could find a better solution than Defender, I would take a look. I originally went with Mimecast because they seemed to have a better product, but that's no longer true. Microsoft Defender is better than Mimecast. I used Mimecast for four years before switching. It used to be better, but now it isn't. You go with the best. Diversifying it is not helpful. Microsoft is finally doing a good job doing this email protection, they didn't do well in the past, but now they are.

I use it for email security and to scan for phishing attempts. I use it for endpoint security as well and scan for any malicious activities, such as viruses, malware, or possible ransomware; to prevent any kind of malicious activity. I also use it to investigate and respond to malicious activity.

So far, it has helped with how we organize data flow within our IT department and has given us increased visibility.

The solution has also eliminated having to look at multiple dashboards. Reconnaissance, or data gathering, is very important, and the speed at which we gather data is very important when responding to a threat.

It saves me time because I don't have to go from one tool to the next, or one dashboard to the next to get similar information. Now, I just log in one time to my Azure portal and I can get everything I need from there. It also assists with email alerts because they are consolidated and very simplified. We don't have different tools sending alerts. It's just one tool sending them and they differentiate based on what is going on. That has really been awesome.

The threat intelligence also helps prepare us for potential threats before we encounter them. We see recommendations and predictions from their SIEM.

The anti-phishing component and the investigation consoles that Microsoft gives you with this product are the most valuable features. The consoles are very detailed and mostly accurate. There are fewer false positives than in other products that I've used.

It also gives me good visibility because, with Defender, I'm using a Microsoft product to defend Microsoft products. The integration was really seamless and I have wide visibility because it picks up almost everything. Literally, I can see almost every activity that happens, from the email to the workstation itself. It's a really awesome product in terms of giving me visibility into what's happening with the endpoints in my corporate environment.

On the investigation console, it shows the form of attack vectors that I may be exposed to and it prioritizes things based on the risk factor. I know what to give priority to when it comes to remediation and prevention.

In addition to Microsoft Defender for Office 365, we use Sentinel and ATP. They are all integrated. I wouldn't be the best person to speak about the integration process itself because I had huge assistance with that aspect. But I'm assuming it was not too tough because that part of the project was pretty quick. It's all license-based, so it's not that difficult.

These products work together, natively, to deliver detection and response in a coordinated way. Whatever is reflected in one of them can be seen through evidence in the other tools. For example, if there's an email threat in an attachment and it is downloaded, Defender continues to pick up the trail from there and resolves the threat.

One aspect of Sentinel that is very important is that it enables us to ingest data from our entire ecosystem. Sentinel is like having built-in AI that analyzes everything that goes on in the environment. The feedback from Sentinel is very important, so it's very important that it has 100% visibility into the environment. It helps us to make a lot of logical decisions.

Sentinel also helps us to investigate threats and respond in an integrated way from one spot. That is important because the speed at which you respond to a threat is very important. The longer you take, the harder the threat will be to dissolve. The quicker the response, the better it is when it comes to remediating the attack or undoing the damage, and keeping downtime to a minimum.

And the AI technology of Sentinel has helped to automate finding high-risk alerts. The alerts are prioritized based on the risk factor.

We recently implemented Microsoft Defender for Office 365 and have been using it for about two months.

It's pretty stable. There's nothing on-prem except for the agents. They are the only thing you have to worry about. Everything else is in the cloud, so you don't have the responsibility of downtime when it comes to security.

One area for improvement is support, in terms of being able to reach them and, especially, technical support for configuration.

Neutral

The solution could be better by simplifying the business model of their licensing. It was hard to figure out how to get the licensing done for the environment, initially. That was the only hiccup we had when we enrolled with Microsoft for security.

We tried Cybereason and SimplySecure. We also tried SentinelOne and it was really good. The reason we chose to go with Microsoft was the added features for securing our email tenant.

Sentinel is pretty cost-effective compared to other solutions because, with Microsoft, we get multiple products for a holistic, cheaper subscription price. The things we would have to purchase from different vendors are the things that Microsoft gives us all in one. Instead of paying Splunk for a SIEM, and paying Fortinet for EDR, we can have a subscription-based solution at a cheaper rate from Microsoft, which is an all-in-one solution.

They really keep up to date with the definitions and upcoming threats that are out there and are doing a pretty good job of defending us, in comparison to other products. They're really catching on. Before, I wasn't a Microsoft person, but I'm slowly getting there because these products have really assisted me of late. They have given me a lot of perspectives on security in general.

It's a good solution for enrolling all your devices. You can have Mac, Windows, and Linux in your console for security visibility. Once your alerts are configured correctly, you shouldn't be missing anything. It's really good for getting alerts to you about anything anomalous.