M03 · Security Platform Overview

Course: Microsoft Defender — Security Operations Fundamentals Module duration: 2.5 hours (including lab) Format: Instructor-led, hands-on

Currency note (as of June 2026): Microsoft renames and reorganizes this product family frequently, and licensing bundles change regularly. Verify product names, portal paths, and which plan unlocks which capability against current Microsoft Learn before relying on specifics here.

Learning objectives

By the end of this module you will be able to:

  1. Describe the Microsoft security ecosystem and how its major products relate to one another.
  2. Explain Zero Trust principles and identify where each Microsoft product enforces them.
  3. Name the core products — Defender XDR, Sentinel, Entra, Intune, Purview, Security Copilot — and their primary functions.
  4. Identify which licensing plans unlock which capabilities.

1. The Microsoft security stack at a glance

Microsoft’s security portfolio spans several disciplines that together cover identity, devices, data, cloud, and operations. The acronyms map to familiar categories:

  • SIEM (Security Information and Event Management) — collect and correlate logs at scale → Microsoft Sentinel.
  • XDR (Extended Detection and Response) — correlate detections across workloads → Microsoft Defender XDR.
  • IAM (Identity and Access Management) — who is who, and what they can access → Microsoft Entra.
  • UEM (Unified Endpoint Management) — manage and secure devices → Microsoft Intune.
  • DLP / data governance — protect and classify data → Microsoft Purview.
  • AI for security operationsMicrosoft Security Copilot.

These are not silos. The strategic idea is that signals flow between products — an identity risk in Entra, a device alert in Defender for Endpoint, and a data event in Purview can combine into one coherent picture rather than three disconnected tools.

2. Zero Trust — the organizing model

Zero Trust is the security model these products are built to enforce. It replaces the old “trusted internal network” assumption with three principles:

  1. Verify explicitly — always authenticate and authorize using all available signals (identity, device health, location, risk) — not just network location.
  2. Use least-privilege access — grant the minimum access needed, just-in-time and just-enough, to limit blast radius.
  3. Assume breach — operate as though an attacker is already inside: segment, monitor everything, and minimize the damage a compromise can do.

Zero Trust is commonly described across pillars — identity, endpoints/devices, applications, data, infrastructure, and network — with visibility, automation, and orchestration spanning them. Each Microsoft product enforces the principles in one or more pillars.

flowchart TD ZT["Zero Trust principles:<br/>verify explicitly · least privilege · assume breach"] ZT --> ID["Identity pillar<br/>→ Microsoft Entra"] ZT --> EP["Endpoints pillar<br/>→ Intune + Defender for Endpoint"] ZT --> DA["Data pillar<br/>→ Microsoft Purview"] ZT --> IN["Infrastructure/Cloud pillar<br/>→ Defender for Cloud"] ZT --> OPS["Visibility & response (cross-pillar)<br/>→ Defender XDR + Sentinel + Security Copilot"]

Diagram alt text: A top node states the three Zero Trust principles — verify explicitly, least privilege, assume breach. It branches to five pillars, each labeled with the Microsoft product that enforces it: Identity to Microsoft Entra; Endpoints to Intune plus Defender for Endpoint; Data to Microsoft Purview; Infrastructure/Cloud to Defender for Cloud; and a cross-pillar visibility and response layer to Defender XDR, Sentinel, and Security Copilot.

3. The product map

3.1 Microsoft Defender XDR — extended detection and response

The unified portal (https://security.microsoft.com) that correlates signals from the workload Defenders — Endpoint, Office 365, Identity, Cloud Apps — into single incidents. It is the SOC analyst’s primary console for incidents, alerts, advanced hunting, and threat analytics. Covered in depth in Module 4.

3.2 Microsoft Sentinel — cloud-native SIEM/SOAR

A cloud-native SIEM (log collection/correlation at scale) with SOAR (Security Orchestration, Automation, and Response) capabilities. Sentinel ingests data from across the estate (including non-Microsoft sources) into a Log Analytics workspace, runs analytics rules, and automates response with playbooks. As of June 2026, Sentinel is increasingly surfaced inside the unified Defender portal alongside Defender XDR.

3.3 Microsoft Entra — identity and access management

The identity platform (formerly Azure Active Directory). Handles authentication, Conditional Access, multifactor authentication (MFA), and identity protection/risk. Entra is the front door of Zero Trust’s “verify explicitly” principle.

3.4 Microsoft Intune — endpoint and mobile device management

Unified endpoint management: enroll, configure, secure, and apply compliance policy to devices (Windows, macOS, iOS, Android). Device compliance state from Intune feeds Conditional Access decisions, linking device health to access.

3.5 Microsoft Purview — data governance, compliance, and DLP

Protects and governs data: classification and sensitivity labels, data loss prevention (DLP), information protection, insider risk management, and compliance/eDiscovery. Enforces the Zero Trust data pillar.

3.6 Microsoft Security Copilot — AI-assisted security operations

A generative-AI assistant for security operations: incident summarization, guided response, KQL assistance, script analysis, and report generation, available standalone and embedded in products like Defender XDR. Covered in depth in Module 10.

ProductCategoryPrimary function
Defender XDRXDRCorrelate workload detections into unified incidents
SentinelSIEM/SOAREstate-wide log analytics + automated response
EntraIAMIdentity, authentication, Conditional Access, risk
IntuneUEMDevice enrollment, configuration, compliance
PurviewData governance/DLPClassify, protect, and govern data
Security CopilotAIAccelerate investigation, summarization, response

4. Licensing landscape

Licensing is volatile — confirm against current Microsoft Learn / product licensing pages, as of June 2026. Bundles and add-on names change.

  • Microsoft 365 E5 is the flagship bundle that includes much of the Defender XDR suite (Defender for Endpoint Plan 2, Defender for Office 365 Plan 2, Defender for Identity, Defender for Cloud Apps) plus advanced Entra and Purview capabilities.
  • Standalone / add-on plans exist for many components (e.g., Defender for Endpoint P1 vs P2, Defender for Office 365 P1 vs P2), letting organizations buy a capability without the full bundle.
  • Defender for Cloud is licensed per resource/usage through Azure (per-plan pricing), separate from the M365 bundles.
  • Microsoft Sentinel and Security Copilot are consumption-based (Sentinel by data ingestion/retention; Copilot by Security Compute Units, SCU), not part of an M365 seat license.

Why a SOC analyst should care: the features you can use depend on what is licensed. A capability “missing” from a portal is often a licensing gap, not a bug. Knowing the plan tiers helps you give accurate guidance and troubleshoot “why can’t I see X.”

5. The unified Defender portal (orientation)

As of June 2026 — verify live. At https://security.microsoft.com, the left navigation surfaces each workload: Incidents & alerts, Hunting, Threat analytics, and product sections for Endpoints, Email & collaboration, Cloud apps, Identities, plus Settings. In the lab you will tour the portal, identify where each product appears, and map two products to Zero Trust pillars using the provided worksheet.

6. Module summary

  • Microsoft’s security stack covers SIEM (Sentinel), XDR (Defender XDR), IAM (Entra), UEM (Intune), data governance/DLP (Purview), and AI (Security Copilot) — designed to share signals, not operate in silos.
  • Zero Trustverify explicitly, least privilege, assume breach — is the organizing model; each product enforces it across one or more pillars (identity, endpoints, data, infrastructure, with cross-pillar visibility/response).
  • Licensing determines available capabilities: M365 E5 bundles most of Defender XDR; Defender for Cloud, Sentinel, and Copilot are billed separately by usage/consumption.

Glossary (first-use acronyms in this module)

  • DLP — Data Loss Prevention.
  • IAM — Identity and Access Management.
  • MFA — Multifactor Authentication.
  • SCU — Security Compute Unit (Security Copilot’s capacity unit).
  • SIEM — Security Information and Event Management.
  • SOAR — Security Orchestration, Automation, and Response.
  • UEM — Unified Endpoint Management.
  • XDR — Extended Detection and Response.
  • Zero Trust — security model based on verify explicitly, least privilege, assume breach.

Sources

Citations recorded per CLAUDE.md. Living documents; “as of June 2026” stamps indicate currency.

  1. Microsoft Learn — “What is Microsoft Defender XDR?” https://learn.microsoft.com/defender-xdr/microsoft-365-defender
  2. Microsoft Learn — “What is Microsoft Sentinel?” https://learn.microsoft.com/azure/sentinel/overview
  3. Microsoft Learn — “What is Microsoft Entra ID?” https://learn.microsoft.com/entra/fundamentals/whatis
  4. Microsoft Learn — “Microsoft Intune overview.” https://learn.microsoft.com/mem/intune/fundamentals/what-is-intune
  5. Microsoft Learn — “Microsoft Purview overview.” https://learn.microsoft.com/purview/purview
  6. Microsoft Learn — “What is Microsoft Security Copilot?” https://learn.microsoft.com/copilot/security/microsoft-security-copilot
  7. Microsoft Learn — “Zero Trust security model / guidance.” https://learn.microsoft.com/security/zero-trust/zero-trust-overview
  8. Microsoft Learn — Microsoft 365 / Defender plan comparison and licensing. https://learn.microsoft.com/ (search “Microsoft 365 E5 security licensing”; verify, as of June 2026).

M03 of 10 · Microsoft Defender — Security Operations Fundamentals · maps to curriculum.md → M03 learning objectives 1–4. Student handout — distribute freely to learners. No answer keys contained.