We are a Microsoft partner and we have clients who are Microsoft 365 administrators in several companies. They are looking for ways to secure their tenants and make sure that their security is top-notch. That's where Microsoft Defender comes in. We use Microsoft 365 Defender for security and compliance to secure tenants from malicious attacks, including spam and phishing attacks. And when it comes to compliance, it is used for data privacy and data protection to ensure that very sensitive data doesn't go out to the wrong location.
Security and Compliance Engineer - Data Protection at a tech services company with 1,001-5,000 employees
Vast range of audit log search options helps analysts carry out a full search
Pros and Cons
- "Many people don't realize that Microsoft Azure, Exchange Online, and the security and compliance portal all sync together. For instance, within the Azure portal you can set security restrictions and policies to help secure your tenants... The good part of it is that these products have already been integrated. When you sign on as an admin you have global admin rights and that gives you access to all these features."
- "The message trace feature for investigating mail flow issues should add more detailed information to the summary report... if they could extend the summary report a little bit, make it more descriptive, ordinary administrators could understand what happened and that the emails failed at this or that point. That way they would know the location to go to try to correct it and to prevent it from occurring again."
What is our primary use case?
How has it helped my organization?
It makes security and protection very seamless.
And Defender saves me time. For instance, if I get notified that a user isn't receiving emails from a particular person, I know that the first thing I have to do is a message trace. It saves me time to an extent because I have a go-to location. With message trace, I'm able to trace emails from, for example, abc@givendomain.com over the past two days. It gives me information about what actually happened in the mail flow. I'd rate the time it saves me as a seven out of 10.
It has also saved us money, on the order of 50 percent. And our time to respond has improved to the level of a six out of 10.
What is most valuable?
The features of the solution are vast and wide.
The most valuable feature is the content search feature in the compliance portal. It is very useful because it covers both audit log search and content search. The audit log search is very useful because, most of the time, you see several changes within the admin portal and it's hard to keep track of what happened. Our customers want to get to the root cause and see the activity that must have triggered those changes. That's where the audit log search comes in. They've enhanced the feature in such a way that it has a vast range of search options so that an analyst can carry out a full search.
The content search feature has also advanced to a point where you can carry out several searches with your keywords. You can point it to a certain location, such as Exchange Online or SharePoint Online, or Teams Online. You can narrow the search down to a particular individual or group of individuals. When administrators report that they have lost content or accidentally deleted a mailbox or the mailbox content, the content search feature is a good way to recover the content.
Another top feature is threat management. It helps prioritize threats across the enterprise.
In addition, you can navigate to the security compliance portal and set restrictions to block IP addresses from different locations. You can also choose to flag domains that are sending malicious attacks and block them and update the anti-spam policy to make it more strict to prevent attacks from happening in the future.
Many people don't realize that Microsoft Azure, Exchange Online, and the security and compliance portal all sync together. For instance, within the Azure portal, you can set security restrictions and policies to help secure your tenants, but most administrations do not know about that, including things like multi-factor authentication, conditional access policies, and privileged access.
We've had reports from clients about compromised accounts because someone got access to a password that they shouldn't have. Multi-factor authentication helps eliminate this. As for conditional access policies, you can set certain policy restrictions to certain locations or IP addresses so that emails or sign-ins only come from particular locations. That helps secure your environment against malicious sign-ons to your accounts.
The good part of it is that these products have already been integrated. When you sign on as an admin you have global admin rights and that gives you access to all these features. You will see Exchange Online, security and compliance, and Microsoft Azure. All you need to do is click and it takes you to the portals.
Overall, the comprehensiveness of the threat protection is at 95 percent. It's not 100 percent because of updates not being done on the Knowledge Base and technical know-how.
The alert feature allows you to set the severity of alerts. If there is a malicious or suspicious sign-on, an alert triggers immediately letting you know, as an administrator, to check what's going on in that account. For example, there was a time when one of our users' accounts was about to be compromised. We got an email notification which was sent to all administrators on the tenant. I was able to block that activity in real-time and then set the system to trigger more alerts for such sign-ons in the future. I also blocked the IP address. That particular feature has helped. The alert arrived in real time to prevent the account from being compromised.
What needs improvement?
When changes are done within either the admin or security and compliance portals, there should be a real-time update to administrators about the changes. Many times I'm supporting a case where someone says, "I used to do this like this, but I'm unable to do it that way anymore. What happened?" And I will have to say, "Oh, sorry. That doesn't work like that anymore. It's now done this way." So there should be a way to notify people about changes like that, and prompt information when changes are done within a portal.
I would also like to see regular updates about new features in the Knowledge Base. There are cases where I'm using a Knowledge Base article to try to educate a customer, but when I check the feature on the admin portal, and in the article, they don't look alike. For instance, it's saying, "Go to settings. From settings, go to options." Meanwhile, on the portal itself, I'm seeing "Settings, go to more settings, then go to options." It would help a whole lot if feature updates were updated in real-time in the documentation.
Also, the message trace feature for investigating mail flow issues should add more detailed information to the summary report. The summary report is what the administrators are able to understand. The extended reports are a very deep dive and the administrators will only understand them if they reach out to support engineers. But if they could extend the summary report a little bit, and make it more descriptive, ordinary administrators could understand what happened and that the emails failed at this or that point. That way they would know the location to go to try to correct it and prevent it from occurring again. Making that summary report more extensive and detailed would be of great help.
Buyer's Guide
Microsoft Defender XDR
February 2025

Learn what your peers think about Microsoft Defender XDR. Get advice and tips from experienced pros sharing their opinions. Updated: February 2025.
841,004 professionals have used our research since 2012.
For how long have I used the solution?
I have been using Microsoft 365 Defender for a little over three years.
What do I think about the stability of the solution?
Overall, it is stable.
There are a few bugs but they generally don't impact the reliability. The bugs are not the kind that impact the work done by an organization. Processes can continue while they fix the bugs.
What do I think about the scalability of the solution?
It is scalable.
It is used across multiple departments with anywhere between one and 200 endpoints.
How are customer service and support?
Their response time is okay, it works fine, but the time it takes to resolve escalated cases needs improvement. An escalated case is when there is a bug. You could literally have reported a bug and it's still not resolved the following week. Bug fixes take a long time, especially when a very essential feature is not working as expected.
How would you rate customer service and support?
Neutral
How was the initial setup?
It took me three to five months to understand it because it has a vast number of features. If you do not understand it, one click could mess up a whole lot of things.
What's my experience with pricing, setup cost, and licensing?
Microsoft should provide lower-level licensing options. They should do it in such a way that even an individual could purchase a license, and it should be entirely flexible. An individual should be able to access the solution at a very affordable rate.
Which other solutions did I evaluate?
Most administrators, in my experience so far, are reaching out to third parties for email filtering and to manage threats in their organization. According to them, Microsoft 365 Defender isn't giving them the information they need. And I realize that this is not correct. What they're missing out on is the proper information or technical know-how to utilize the features.
For example, if someone uses Barracuda as their third-party filtering service, I begin to ask questions such as, "Okay, why did you choose to use the Barracuda service when we have the ability to create good anti-spam policies that could help secure your tenant? You can create anti-phishing policies and rules that will help restrict IP addresses." Often, what they say is that Barracuda is better because it gives them more information and real-time data. At that point, I ask them to let me provide a deep dive into the features of Microsoft 365 Defender. I use the documentation and Knowledge Base articles to explain its features, one after the other, and they begin to say, "Oh wow." They didn't know these features actually exist. They'll begin to look at the possibility of utilizing the Microsoft solution since they have paid for it. Why should they pay additional money to a third party to get services that Microsoft provides? They feel very happy about the information I provide.
So far so good. The Microsoft 365 product hasn't given me a reason to want to check for other products and move to something else.
What other advice do I have?
For the best and most seamless user experience, it's best to go with a single vendor because there could be a lot of complications going with a best-of-breed strategy. It's easier to understand things with a single vendor.
When you don't understand a feature, ask questions and reach out for support. There are some features that are being used wrongly or that are underutilized.
Also, test the product beforehand. They provide trials so you can test the solution and see if it meets your expectations.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner

Consultant at a tech services company with 1,001-5,000 employees
Provides good insights, allows us to prioritize threats, and comes with a centralized portal
Pros and Cons
- "The EDR features are valuable. By getting the EDR features, we have more control over the device. We have information about events in real-time and more protection against zero-day threats and zero-day vulnerabilities. We can monitor every event or action that a device is going through. We can get an idea if it is something malicious or if we have to take any actions."
- "The onboarding and offboarding need improvement. I work with other vendors as well, and they have an option to add a device or remove a device from the portal, whereas with Microsoft 365 Defender, we need to do that manually. However, once you do that, everything can be controlled through the portal, but getting the device onboarded and offboarded is currently manual. If we have an option to simply remove a device from the portal or get a device added from the portal, it would be more convenient. The rest of the features are similar. This is the only area where I found it different from others. I would also like to be able to simply filter with a few of the queries that are already there."
What is our primary use case?
Microsoft 365 Defender is an extension of Windows Defender. Windows Defender is an AV that is integrated with Windows OS, and with this extension, you also get the EDR functionality for security purposes. Microsoft 365 Defender gets more access to the device and provides more insights and control over that. Apart from the Windows platform, it also includes other OSs, such as Linux and macOS.
We do have multiple options for deployment. We did deploy it on the cloud. We got the on-cloud license, and we onboarded our devices to the portal. The portal is deployed on the Azure cloud.
How has it helped my organization?
It helps us prioritize threats across the enterprise. We also have options to prioritize a specific device and monitor it. We can keep a device on high alert or on the watch out for each and every event. There are different severity levels, such as critical, high, medium, and low. We can set severities on any of the devices. Based on the set severity level, Microsoft 365 Defender can track events, and we can monitor those events from the console.
We get more insights and more information about the devices that we have. Because most of them are Windows devices, we have integrations with Intune or SCCM. It is easy to transfer all the information and see everything in one single portal. If we want to configure anything or control the devices in the whole organization, it is easy because all of them are in the same environment. It is easy to manage and control them.
There are fewer compatibility issues and errors and a better ability to track events. With third-party solutions, I used to see more issues related to compatibility and setting the ports. For each and everything, we had to either go through the support documents or through the support to get information. Most of the Microsoft documentation is publicly available. It is not that you only get that when you open a support case. That's an advantage compared to others.
It helps to automate routine tasks and the finding of high-value alerts. We have KQL or SQL queries that we can set up. We can schedule them so that it automatically queries for a specific device or all the devices and gives us a report that we can simply export.
Its threat intelligence helps to prepare us for potential threats before they hit and take proactive steps. It has helped us to recover a few devices. Because it is integrated with the OS, we get information about failed logins.
It saves time and manual labor. Previously, we used to use a deployment portal such as Filezilla or GPOs. We used to manually update the signatures, but now, it is automatic. It saved me pretty much half a day's work.
It has decreased our time to detect and our time to respond. It has saved half a day's work. The sensor constantly connects to the console. In case of an issue, we get an email immediately. We also get a notification in the console. Previously, we used to manually scan the device or query something and then get the results. Because it is automated, we don't need to manually do that. Previously, we used to manually isolate or block a device, or we used to work with different teams to get the device offline, but now, we can simply search the device name in the console and isolate a device from there, which is convenient for us.
What is most valuable?
The EDR features are valuable. By getting the EDR features, we have more control over the device. We have information about events in real-time and more protection against zero-day threats and zero-day vulnerabilities. We can monitor every event or action that a device is going through. We can get an idea if it is something malicious or if we have to take any actions.
Because Microsoft 365 Defender is integrated with the OS, we get more insight into the events or threat activities. With a third-party solution, we could have some limitations or compatibility issues with the OS, whereas with Microsoft 365 Defender, there are no compatibility issues for Windows, and we get more insights and more information on the threats simply by logging into the console.
What needs improvement?
The onboarding and offboarding need improvement. I work with other vendors as well, and they have an option to add a device or remove a device from the portal, whereas with Microsoft 365 Defender, we need to do that manually. However, once you do that, everything can be controlled through the portal, but getting the device onboarded and offboarded is currently manual. If we have an option to simply remove a device from the portal or get a device added from the portal, it would be more convenient. The rest of the features are similar. This is the only area where I found it different from others. I would also like to be able to simply filter with a few of the queries that are already there.
For how long have I used the solution?
It has been almost three months.
What do I think about the stability of the solution?
I would rate it a seven out of ten in terms of stability. It is quite stable but it can be improved for a few scenarios. It is still new for macOS and Linux, and for these OSs, I would rate it a six out of ten in terms of stability.
What do I think about the scalability of the solution?
It is scalable. We are using it pretty extensively. It is for multiple departments, and there are multiple teams handling it. In the tenant I have, there are 2,000 devices that are currently onboarded. We also get information about which devices are not onboarded. I can see that a few hundred devices are not onboarded. We also have a few other clients or partners who are using it but on a small scale.
How are customer service and support?
It is good. We do get constant responses and inputs from them whenever we raise a case. They are quite helpful. I would rate them an eight out of ten.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I started working with this solution because I changed my organization. That was the major reason.
Being able to get the information simply from a single portal and the integration with other portals have been some of the benefits. Previously, we used to get data manually, and then we used a SIEM or event collector to send that data to other portals. Now, we can integrate with other Microsoft portals, such as Intune, and get the same information there as well. That's one convenience I have found.
How was the initial setup?
I am not involved with tenant deployment. I am involved with the onboarding of the devices. If you have the right knowledge, it is completely fine. They do have an admin console. You can deploy multiple tenants and also control through that console, but I don't have access to that. I only have access to my own tenant. I only have control over that. We can also include a tenant for a specific organization from the admin console. That admin console is deployed on Azure.
Most of the maintenance is automatic. Because we allow Windows updates, most of the Defender updates are also included in Windows updates. We don't have to specifically go and check. If we see any alert or we find any suspicious events or something on the console while we are investigating, then it might need manual checks. We do get some recommendations through the console itself for what we can do to improve the device security score. So, it requires some maintenance, but that's only when we detect something or we are investigating something. For maintenance, we have different teams in each section. We have around 15 to 20 people.
What was our ROI?
I don't have the metrics, but we started to see its benefits within a couple of weeks from the time of deployment.
What's my experience with pricing, setup cost, and licensing?
Its licensing and pricing are handled by someone else. My role is limited to incidents or issues with the portal, but you get what you pay for. It is worth the cost.
Which other solutions did I evaluate?
We did compare it with VMware Carbon Black and McAfee. We did check Symantec as well, but Symantec didn't have EDR capabilities. So, we dropped it. The final call was Microsoft because we found the integrations and other things easy. It saves time for us because we don't need to go through another team or get a separate team involved just for data transfers.
What other advice do I have?
I would definitely recommend this solution. Getting the product is easy. You simply get the license, but after getting the product, you need to go through the deployment and configuration of the product to match your environment. You can just try out the product and experiment in your own way and learn each and every feature. The documentation is completely public.
I would rate it an eight out of ten because there are a few areas where it can be improved.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
Microsoft Defender XDR
February 2025

Learn what your peers think about Microsoft Defender XDR. Get advice and tips from experienced pros sharing their opinions. Updated: February 2025.
841,004 professionals have used our research since 2012.
Owner at a consultancy with 11-50 employees
Offers capabilities that other solutions don't offer
Pros and Cons
- "The feature I find most valuable is Defender for Endpoint."
- "The licensing process needs improvement and clarification, as it is currently difficult to understand which features are licensed to which users."
- "The licensing process needs improvement and clarification, as it is currently difficult to understand which features are licensed to which users."
What is our primary use case?
Our primary use case for Microsoft Defender XDR is to serve as our email security solution, offering file protection, scanning, alerts, and incident management. It is a part of every Microsoft 365 deployment we do.
How has it helped my organization?
The integration of Microsoft products simplifies management, reporting, and investigations. It offers capabilities that other solutions don't offer.
What is most valuable?
The feature I find most valuable is Defender for Endpoint. It's because endpoint management is my primary focus, and this feature integrates well with my other skills.
What needs improvement?
The licensing process needs improvement and clarification, as it is currently difficult to understand which features are licensed to which users.
For how long have I used the solution?
I've been using Microsoft Defender XDR for about ten years since it was known as Office 365 Advanced Threat Protection.
What do I think about the stability of the solution?
I have no concerns about the stability of Microsoft Defender XDR.
What do I think about the scalability of the solution?
We are only a small organization, and our operations don't even challenge Microsoft Defender XDR's capabilities.
How are customer service and support?
The customer service and support have been good. Whenever it is needed, they are fast to respond.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We used various solutions over the years, but since then, we've been using the Defender variants.
How was the initial setup?
The initial deployment was straightforward.
What about the implementation team?
We implemented Microsoft Defender XDR ourselves in-house.
What's my experience with pricing, setup cost, and licensing?
There are no issues with pricing, but sometimes, the clarity in licensing is a concern. I still need to verify what's included with each license occasionally.
What other advice do I have?
I would rate Microsoft Defender XDR a ten out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Last updated: Nov 30, 2024
Flag as inappropriateIt isn't customizable enough and not all of the solutions are fully integrated
Pros and Cons
- "My clients like Defender's file integrity monitoring. They're monitoring Windows and Linux system files."
- "My client would like the solution to be more customizable without using code. You can only build on the default console, but we're not allowed to change it."
What is our primary use case?
One of my largest customers deployed Defender for Endpoint, but they also wanted Defender XDR to get a specific feature. Defender XDR is included in the E5 license, but it's a bit too expensive. Our customer wanted Defender XDR's file integrity monitor tools for compliance. My client is using Defender with Sentinel, but I'm unsure how much they use it.
What is most valuable?
My clients like Defender's file integrity monitoring. They're monitoring Windows and Linux system files.
What needs improvement?
My client would like the solution to be more customizable without using code. You can only build on the default console, but we're not allowed to change it.
We have a similar tool to Defender's file integrity monitoring. Under the VMware VM properties, there is a change-checking tool, and it will tell us if the extension is in a different location. You can configure checking and do the monitoring. When I log into Defender's file integrity portal, I cannot see that this machine was enabled. It's the same agent and extension.
It's confusing because I don't know how to tell the customer they don't need to pay $15 per month because you already can enable the extension in VMware. Under the Defender account, it all seems like it's high code, and we cannot change it. Every customer has requirements for us to customize those things.
For how long have I used the solution?
I have used Defender XDR for about a year.
What do I think about the scalability of the solution?
Defender XDR is an enterprise-scale solution.
How are customer service and support?
I rate Microsoft support 4 out of 10.
How would you rate customer service and support?
Neutral
What other advice do I have?
I rate Defender XDR 3 out of 10. I don't think Defender XDR is ready to deploy in its current state. It has too many solutions inside, and they're not fully integrated.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: partner/reseller
Cloud Architect at Vision Bank
Helps extend its protection to third-party applications, stops malware attacks, and reduces costs
Pros and Cons
- "Scanning, vulnerability reporting, and the dashboard are the most valuable features."
- "While the XDR platform offers valuable functionalities, it falls short of other solutions in its ability to deliver a cohesive identity experience."
What is our primary use case?
We are using Microsoft Defender XDR for our endpoint, desktop, and laptop protection.
How has it helped my organization?
Microsoft Defender can extend its protection to the third-party applications we use, which is helpful.
Microsoft Defender XDR not only helps stop malware attacks but also offers advanced attack prevention features to safeguard against sophisticated threats.
Our environment is multi-tenant, and Microsoft Defender XDR offers seamless integration. Its ability to respond to threats across the multi-tenants is good.
It helps our security team by automating tasks, providing detailed reports, safeguarding our systems, and enabling historical analysis.
It has helped to reduce some of our costs by almost $10,000 per month.
Microsoft Defender XDR is easy to manage, saving our security team time.
What is most valuable?
Scanning, vulnerability reporting, and the dashboard are the most valuable features.
What needs improvement?
While the XDR platform offers valuable functionalities, it falls short of other solutions in its ability to deliver a cohesive identity experience. To address this limitation, integrating MDR as part of the XDR experience and incorporating the latest advancements into Microsoft Defender XDR are crucial steps.
For how long have I used the solution?
I have been using Microsoft Defender XDR for over three years.
What do I think about the stability of the solution?
Microsoft Defender XDR is stable.
What do I think about the scalability of the solution?
We can scale up with Microsoft Defender XDR with no problems.
How are customer service and support?
We have a dedicated account manager who handles our support requests. We submit our requests through a ticketing system, and they respond promptly.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We also use CrowdStrike. Both have advanced capabilities and are easy to manage. We have them integrated with multiple tenants but for different products.
How was the initial setup?
The initial deployment was straightforward and took one to two days to complete.
What's my experience with pricing, setup cost, and licensing?
While Microsoft Defender XDR carries a higher cost, its ease of use compared to Defender may justify the investment.
What other advice do I have?
Although I would rate Microsoft Defender XDR eight out of ten, its visibility suffers when used with third-party applications and non-Azure cloud platforms.
While the implementation itself is straightforward, troubleshooting, log creation, and monitoring can be challenging. This solution may be suitable for Microsoft-centric environments, but its visibility suffers in scenarios with multiple third-party solutions or hybrid deployments.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security analyst trainee at a tech services company with 11-50 employees
The solution can replace multiple security products because it covers everything
Pros and Cons
- "The advantage of Microsoft Defender XDR has over other XDRs in the market is that it's easy to use. You can quickly differentiate between alerts, incidents, devices, software, etc. It's easier to investigate an incident, and you have so many options. You can automate investigations and use playbooks. There's also the live response session, which is something you can't find in any other XDR."
- "The design of the user interface could use some work. Sometimes it's hard to find the exact information you need."
How has it helped my organization?
Defender XDR can replace multiple security products. It covers everything, including phishing protection, network security, device security, applications, etc.
The solution has reduced time spent on manual tasks because almost everything is automated. You don't have to do anything. If something happens, you'll get a notification, and it will instantly run the playbook for the incident. For example, a phishing email might take an hour to investigate manually. If you have Defender, you will have all the information you need on the incident page. It's all there, so you can investigate the incident in around 5 to 10 minutes.
Adopting Defender cuts costs. While the solution is a little pricey, you only need two products—XDR and Sentinel—so you don't need to add other security products. You only need to use the Microsoft security stack.
What is most valuable?
The advantage Microsoft Defender XDR has over other XDRs in the market is that it's easy to use. You can quickly differentiate between alerts, incidents, devices, software, etc. It's easier to investigate an incident, and you have so many options. You can automate investigations and use playbooks. There's also the live response session, which is something you can't find in any other XDR.
The identity protection is excellent. It uses some rules, including some built-in rules from Microsoft itself. It identifies risky users and differentiates between a user who is trying to sign in and isn't the actual user. Identity and access management is a valuable component of Defender.
Defender covers non-Microsoft technologies if you're using the full Microsoft stack with Sentinel and Defender. You can ingest logs from other solutions, like Palo Alto and Fortinet firewalls.
It stops advanced attacks like ransomware and phishing in real time and prevents them from entering your environment. There's a feature called Security Advisory that shows you all the latest threats and vulnerabilities in the market so that you can make rules for them. It helps you understand them more.
With Sentinel and Microsoft Lighthouse, you can use multi-tenant access. It allows you to connect multiple tenants to one tenant, which you can use to monitor everything from there. Before we had Microsoft Defender, we had to go to each tenant, log n from your account, and investigate the incident if it's there. Lighthouse has one page with all the alerts, and they're all connected together. You can investigate every alert from one page.
What needs improvement?
The design of the user interface could use some work. Sometimes it's hard to find the exact information you need.
What do I think about the stability of the solution?
I rate Microsoft Defender XDR 7 out of 10 for stability. There are some performance issues maybe 5% of the time.
What do I think about the scalability of the solution?
I rate Microsoft Defender XDR 9 out of 10. It's easy to scale.
How are customer service and support?
I rate Microsoft support 8 out of 10. They answer quickly. If you open a ticket, they will respond immediately. You can chat with them or schedule a call.
How would you rate customer service and support?
Positive
How was the initial setup?
The setup is straightforward. You only need to buy the product and onboard every device. It's like a script for Microsoft Intune. The process takes a couple of days for a small company, but a larger business may require three or four days.
What's my experience with pricing, setup cost, and licensing?
Defender XDR is fairly priced.
What other advice do I have?
I rate Microsoft XDR Defender 8 out of 10. I recommend giving the product a try. If it doesn't work for you, try something else until you find a suitable product. There might be other solutions that are a better fit. It's good for my case, but it might not be right for everyone.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Architect at XVE Security
Extends beyond Microsoft technologies, provides a centralized view, and reduces costs
Pros and Cons
- "The unified view of the threat landscape on a central dashboard is the most valuable feature."
- "The licensing is a nightmare and has room for improvement."
What is our primary use case?
We use Microsoft Defender XDR in our multi-tenant environment comprising Windows, Linux, and the Cloud.
We have Microsoft Defender deployed in a hybrid environment across AWS, Azure, and GCP.
How has it helped my organization?
Microsoft Defender XDR provides unified identity and access management. The identity protection the solution provides is good.
If we had to use a separate solution for identity and access management I believe the performance would be clunky.
Microsoft Defender XDR extends beyond just Microsoft technologies, encompassing a wider range of platforms and services. This broad coverage is a key strength of the solution.
Since implementing Microsoft Defender XDR, the centralized view and management console have been beneficial.
Microsoft Defender XDR limits the lateral movement of advanced attacks.
It integrated seamlessly into our SIEM environment so there are no disruptions to our security operations.
The ability to adapt to evolving threats is critical as the landscape is expanding daily.
The multi-tenant management capabilities for investigating and responding to threats across tenants are good.
We are enabled us to discontinue the use of other vulnerability management tools.
The reduction in the number of vulnerability management tools we use has helped reduce manual operations.
Microsoft Defender XDR has helped reduce our costs by ten percent.
Microsoft Defender XDR has helped save our security team between five and ten percent of their time.
What is most valuable?
The unified view of the threat landscape on a central dashboard is the most valuable feature.
What needs improvement?
The naming convention keeps changing and has room for improvement.
The licensing is a nightmare and has room for improvement.
For how long have I used the solution?
I have been using Microsoft Defender XDR for three years.
What do I think about the stability of the solution?
Microsoft Defender XDR is stable.
What do I think about the scalability of the solution?
Microsoft Defender XDR is a SaaS product so it is scalable.
How are customer service and support?
The technical support is good.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We previously used VMware Carbon Black and switched to Microsoft Defender for the multi-cloud environment support.
How was the initial setup?
The initial deployment is straightforward. We identify the critical assets and just deploy for those initially and then slowly roll out for the rest. Around five people were involved in the deployment.
What about the implementation team?
The implementation was completed in-house.
What was our ROI?
We have seen a return on investment.
What other advice do I have?
I would rate Microsoft Defender XDR a nine out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Managing Director, TSG Engineering at a financial services firm with 10,001+ employees
The product is scalable and provides summaries of emails, but it is full of bugs and crashes a lot
Pros and Cons
- "The summarization of emails is a valuable feature."
- "The tool gives inconsistent answers and crashes a lot."
What is most valuable?
The summarization of emails is a valuable feature. I get more than 1000 emails a day. It is hard to read them all. Summarization makes it a lot easier. The solution also provides transcription features.
What needs improvement?
It doesn't work in Word, Excel, and PowerPoint consistently. We find it full of bugs. It doesn't work properly. The tool gives inconsistent answers and crashes a lot. I spoke with the Microsoft team regarding these issues. The person I spoke to said that our expectation was too high and that we should have expected that it would only operate at 70% accuracy, which was a bit of a shock.
For how long have I used the solution?
I have been using the solution for four years.
What do I think about the stability of the solution?
We use most of E3 and E5. We're using 92% of the catalog. Everything runs in the cloud. In the past six months, there have been incidents where the cloud has had some issues. We've escalated them to Microsoft and have had a conversation about stability.
What do I think about the scalability of the solution?
The tool is scalable.
How are customer service and support?
The support is decent. It could be better in certain circumstances. Overall, it's acceptable for what we need it for.
Which solution did I use previously and why did I switch?
We were using a Symantec tool before. We stopped using it because we were exiting a relationship with the Symantec tools. We chose Microsoft Defender for Office 365 because we had a relationship with Microsoft, and it did similar things to what we used the Symantec tool for. It was an easy choice.
How was the initial setup?
The initial setup was complex. It doesn't work. Semantic Index takes 48 hours. Getting people to onboard is not as simple as turning it on and making it work.
We have to ensure that we are teaching people about these tools, their value, and the use cases to determine whether they will use them. If we turn it on and somebody is not trained to use the tool, they will abandon it. It's still not functioning properly. It's a bit of a risk for Microsoft to push out a tool that's not ready yet.
What about the implementation team?
We did the implementation ourselves. We have a large enough internal team.
What's my experience with pricing, setup cost, and licensing?
The solution is too expensive. Each license costs us $30.
Which other solutions did I evaluate?
Google is an alternative. The comparison is based on market share, penetration, usefulness of tools, and cost. Microsoft has the lead. It's embedded. We use it as a productivity suite for our company. Excel, Word, and PowerPoint are tools that people use on a daily basis.
What other advice do I have?
The tool provides a little bit of unified identity and access management. It's not the most important thing for us. Security is a multi-layered strategy, and Defender is one aspect.
The product is one of the many tools we deploy to ensure that the lateral movement of advanced attacks does not occur. If it were the only tool we had, I wouldn't be as confident in saying that we have the proper levels of security, but it is one of the multiple tools we have. So, lateral movement is almost impossible.
The solution might be able to adapt to evolving threats in a smaller shop. However, it is not so in our organization.
We run a bank. We are testing out Copilot. We're about to roll it out to several thousand users. The tool hasn't yet helped improve things in our organization, but it has the potential. Copilot is new. It's difficult to determine the ROI and its value. It's hard to tell. We do get some value out of the product.
Overall, I rate the product a seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Buyer's Guide
Download our free Microsoft Defender XDR Report and get advice and tips from experienced pros
sharing their opinions.
Updated: February 2025
Product Categories
Extended Detection and Response (XDR) Endpoint Detection and Response (EDR) Microsoft Security SuitePopular Comparisons
CrowdStrike Falcon
SentinelOne Singularity Complete
Cortex XDR by Palo Alto Networks
IBM Security QRadar
Elastic Security
Intercept X Endpoint
Trellix Endpoint Security
Forescout Platform
Trend Vision One
Vectra AI
Rapid7 InsightIDR
Mandiant Advantage
Stellar Cyber Open XDR
Buyer's Guide
Download our free Microsoft Defender XDR Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the best EDR or XDR product for a company with 9000 employees?
- When evaluating Extended Detection and Response (XDR), what aspect do you think is the most important to look for?
- How do you decide about the alert severity in your Security Operations Center (SOC)?
- Which is better for Endpoint Security: EDR or XDR solutions?
- What are the main differences between XDR and SIEM?
- Why is Extended Detection and Response (XDR) important for companies?
- How do you use the MITRE ATT&CK framework for improving enterprise security?
- What tools and solutions do you use for automated incident response in an enterprise in 2022?
- FortiXDR vs Cortex Pro - which is the best?
- What is Cognitive Cybersecurity and what is it used for?