πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AB-900 Domain 1
Domain 1 β€” Module 8 of 10 80%
8 of 28 overall

AB-900 Study Guide

Domain 1: M365 Core Features & Objects

  • Welcome to Microsoft 365
  • Exchange Online: Mailboxes & Distribution
  • SharePoint: Sites, Libraries & Permissions
  • Microsoft Teams: Teams, Channels & Policies
  • Users, Groups & Licensing
  • Zero Trust: Never Trust, Always Verify
  • Authentication: Passwords, MFA & Beyond
  • Microsoft Defender XDR
  • Microsoft Entra: Your Identity Hub
  • PIM, Audit Logs & Identity Governance

Domain 2: Data Protection & Governance

  • Microsoft Purview: The Big Picture
  • Sensitivity Labels & Data Classification
  • Data Loss Prevention (DLP)
  • Insider Risk & Communication Compliance
  • DSPM for AI & Data Lifecycle
  • How Copilot Accesses Your Data
  • Responsible AI Principles
  • Compliance Manager & eDiscovery
  • Activity Explorer & Data Monitoring
  • Oversharing in SharePoint

Domain 3: Copilot & Agent Admin

  • What is Microsoft 365 Copilot? Free
  • What Are Agents? Free
  • Copilot vs Agents: When to Use Which Free
  • Copilot Licensing: Monthly vs Pay-as-You-Go Free
  • Researcher, Analyst & Real-World Use Cases Free
  • Managing Copilot: Billing, Monitoring & Prompts Free
  • Building Agents: Create, Test & Publish Free
  • Agent Lifecycle: Access, Approval & Monitoring Free

AB-900 Study Guide

Domain 1: M365 Core Features & Objects

  • Welcome to Microsoft 365
  • Exchange Online: Mailboxes & Distribution
  • SharePoint: Sites, Libraries & Permissions
  • Microsoft Teams: Teams, Channels & Policies
  • Users, Groups & Licensing
  • Zero Trust: Never Trust, Always Verify
  • Authentication: Passwords, MFA & Beyond
  • Microsoft Defender XDR
  • Microsoft Entra: Your Identity Hub
  • PIM, Audit Logs & Identity Governance

Domain 2: Data Protection & Governance

  • Microsoft Purview: The Big Picture
  • Sensitivity Labels & Data Classification
  • Data Loss Prevention (DLP)
  • Insider Risk & Communication Compliance
  • DSPM for AI & Data Lifecycle
  • How Copilot Accesses Your Data
  • Responsible AI Principles
  • Compliance Manager & eDiscovery
  • Activity Explorer & Data Monitoring
  • Oversharing in SharePoint

Domain 3: Copilot & Agent Admin

  • What is Microsoft 365 Copilot? Free
  • What Are Agents? Free
  • Copilot vs Agents: When to Use Which Free
  • Copilot Licensing: Monthly vs Pay-as-You-Go Free
  • Researcher, Analyst & Real-World Use Cases Free
  • Managing Copilot: Billing, Monitoring & Prompts Free
  • Building Agents: Create, Test & Publish Free
  • Agent Lifecycle: Access, Approval & Monitoring Free
Domain 1: M365 Core Features & Objects Premium ⏱ ~11 min read

Microsoft Defender XDR

Defender XDR is your security operations centre in a box. It detects threats across email, endpoints, identity, and cloud apps β€” and connects the dots between them.

What is Defender XDR?

β˜• Simple explanation

Think of Defender XDR as a team of security guards watching different parts of a building β€” but they all talk to each other.

One guard watches the mailroom (Defender for Office 365 β€” catches phishing emails). Another watches the computer lab (Defender for Endpoint β€” detects malware on devices). A third watches the front desk (Defender for Identity β€” spots suspicious logins). And a fourth watches the third-party shops in the building (Defender for Cloud Apps β€” monitors SaaS apps).

What makes XDR special: when one guard spots something suspicious, they automatically alert the others. A phishing email (mailroom) that leads to malware (computer lab) that triggers a suspicious login (front desk) β†’ XDR connects all three into ONE incident.

Microsoft Defender XDR (Extended Detection and Response) is an integrated security platform that correlates signals across email, endpoints, identity, and cloud applications to detect, investigate, and respond to sophisticated threats.

XDR goes beyond traditional point solutions by automatically connecting related alerts into unified incidents, reducing alert fatigue and enabling faster response. It’s accessed through the Microsoft Defender portal (security.microsoft.com).

The Defender XDR family

Microsoft Defender XDR components
FeatureWhat It ProtectsKey Capabilities
Defender for Office 365Email and collaboration (Outlook, Teams, SharePoint)Anti-phishing, anti-malware, safe attachments, safe links, BEC detection
Defender for EndpointDevices (Windows, Mac, Linux, mobile)Endpoint detection and response (EDR), vulnerability management, attack surface reduction
Defender for IdentityOn-premises Active DirectoryLateral movement detection, compromised credential alerts, reconnaissance activity
Defender for Cloud AppsSaaS applications (M365 + third-party)Shadow IT discovery, app governance, session controls, anomaly detection

Key exam concept: The exam tests whether you know which Defender component protects which area. The mnemonic: Office = email, Endpoint = devices, Identity = sign-ins, Cloud Apps = SaaS applications.

How XDR connects the dots

The power of XDR is correlation. A single attack often crosses multiple domains:

  1. πŸ“§ Phishing email arrives (Defender for Office 365 detects it)
  2. πŸ‘† User clicks the link β†’ malware downloaded (Defender for Endpoint detects it)
  3. πŸ”‘ Malware steals credentials β†’ suspicious login from new location (Entra ID Protection flags impossible travel)
  4. πŸ“€ Attacker uses stolen credentials to access SharePoint (Defender for Cloud Apps detects it)

Without XDR: 4 separate alerts in 4 separate tools. The admin might not connect them. With XDR: 1 correlated incident showing the full attack chain. The admin sees the complete picture.

πŸ’‘ Scenario: Northwave stops an attack

Jordan (Northwave’s CISO) gets ONE incident alert in the Defender portal:

Incident: Credential phishing leading to data exfiltration

  • πŸ“§ Email from β€œIT Support” with a fake password reset link β†’ blocked by Safe Links
  • πŸ’» 3 users clicked before Safe Links kicked in β†’ Defender for Endpoint quarantined malware
  • πŸ”‘ 1 user’s credentials were captured β†’ Entra ID Protection flagged impossible travel (login from Auckland then London in 10 minutes)
  • πŸ“ Attacker accessed 5 SharePoint files before being blocked β†’ Defender for Cloud Apps session terminated

XDR automated response: Blocked the attacker’s IP, forced password reset for affected user, quarantined the phishing email from all inboxes.

Total time from first email to full containment: 4 minutes. Without XDR, this could have taken hours with separate tools.

Threat intelligence

Microsoft’s threat intelligence comes from:

  • Microsoft Threat Intelligence Center (MSTIC) β€” tracks nation-state actors
  • Trillions of signals daily β€” from Windows, Azure, M365, Bing, LinkedIn
  • Dark web monitoring β€” checks if your organisation’s credentials appear in breaches

This intelligence feeds into Defender XDR automatically β€” you don’t configure it, but it’s important to know it exists for the exam.

🎬 Video walkthrough

🎬 Video coming soon

Microsoft Defender XDR β€” AB-900 Module 8

Microsoft Defender XDR β€” AB-900 Module 8

~9 min

Flashcards

Question

What does XDR stand for, and what does it do?

Click or press Enter to reveal answer

Answer

Extended Detection and Response. It correlates security signals across email, endpoints, identity, and cloud apps to detect, investigate, and respond to threats as unified incidents β€” not separate alerts.

Click to flip back
Question

What are the four Defender XDR components?

Click or press Enter to reveal answer

Answer

1) Defender for Office 365 (email/collaboration). 2) Defender for Endpoint (devices). 3) Defender for Identity (on-prem AD sign-ins). 4) Defender for Cloud Apps (SaaS applications).

Click to flip back
Question

What is the key advantage of XDR over separate security tools?

Click or press Enter to reveal answer

Answer

Correlation β€” XDR automatically connects related alerts from different domains (email, device, identity, apps) into a single incident, showing the full attack chain instead of isolated alerts.

Click to flip back

Knowledge Check

Knowledge Check

A phishing email is sent to 50 Northwave employees. 5 users click the link and download malware. 1 user's credentials are stolen and used to access SharePoint files. Which Defender XDR components are involved in detecting this attack chain?

Next up: Microsoft Entra β€” the identity and access management hub that controls who gets in and what they can do.

← Previous

Authentication: Passwords, MFA & Beyond

Next β†’

Microsoft Entra: Your Identity Hub

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.