What is Happening in the Microsoft 365 Security Menu Consolidation?
Investigate multi-staged incidents in 1 menu instead of 3.
Microsoft recently announced their intentions to consolidate some of their cloud security products and that they have already started the process. Some of the most obvious changes are already apparent like the new navigation options added to the Microsoft 365 Security menu, but what else will change because of this consolidation?
In this blog, we will go over the major changes that most organizations will be affected by once the consolidation is finished. We will also discuss the current progress of the consolidation and how the menus should be used while going through the transitionary period.
MDE is Moving to 365 Security
All the endpoint management capabilities of MDE are being moved over to the Microsoft 365 Security menu, including features like TVM (Threat and Vulnerability Management). Everything has already been replicated over from MDE except for the Automated Investigations menu.
The menus are so close in functionality that an analyst could reasonably use either, but they would have to go to 365 Security for advanced hunting and to MDE for Automated Investigations. Since MDE is going to be phased out eventually, it may be a good idea to have analysts start using 365 Security as their default endpoint investigation menu.
Defender for Office 365 Will Be in 1 Menu
Before the consolidation, an analyst would need to go to 2 different menus to finish investigating an incident involving email. After the consolidation there will only be 1 email investigation menu that analysts will use to finish their email investigation.
Unfortunately, the transition is not complete between these 2 menus yet, so analysts will still need to investigate email incidents in both menus. While investigating an email-based incident, the Mailbox and Evidence tabs are only found in 365 Security. The Email, Users, and Machines tabs are only available in Office 365 Security & Compliance. For more information see our blog on 365 Security menus.
Security and Compliance are Separating
With the Microsoft 365 Security & Compliance menu being phased out, the compliance settings and information needed to be moved somewhere. The new Microsoft 365 Compliance menu has all the features in the original Security & Compliance menu in a separate area so that analysts and admins setting policy do not have to share the same menu.
Multi-Platform Reports Menu
The reports menus from both MDE and Defender for Office 365 have been moved over to the 365 Security menu. Now security analysts and admins can view reports about the security of their endpoints and email in the same consolidated menu.
Changes Are Ongoing
The consolidation is not finished yet, and there are likely to be other changes made before it is finished. We cannot be certain of the timeline for the rest of the changes or if any more changes will be made. All security analysts and admins can do for now is keep monitoring Microsoft’s security news sources for more updates.
We will continue to share best practices and lessons learned in future posts on Microsoft cloud security product updates. The updates that Microsoft impacts what we do at CyberMSI, so we are constantly monitoring for important updates.
In closing, consider these three questions when managing Microsoft security platform updates in organization:
- Are we evaluating changes to Microsoft security products as part of our change management processes?
- Will we have to retrain our security analysts and admins based on these changes?
- How can we take advantage of the changes to the menus now that they are being arranged more logically?