|
| 1 | +--- |
| 2 | +# Required metadata |
| 3 | +# For more information, see https://learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata |
| 4 | +# For valid values of ms.service, ms.prod, and ms.topic, see https://learn.microsoft.com/en-us/help/platform/metadata-taxonomies |
| 5 | + |
| 6 | +title: MDO API Vendor Ecosystem Integration Guide |
| 7 | +description: Help customers understand how the API Vendor Ecosystem enables Microsoft Defender for Office 365 (MDO) to integrate with trusted third-party email security vendors |
| 8 | +author: aylamck # GitHub alias |
| 9 | +ms.author: aylamckorkle # Microsoft alias |
| 10 | +ms.service: defender-office-365 |
| 11 | +ms.topic: article |
| 12 | +ms.date: 06/08/2025 |
| 13 | +--- |
| 14 | + |
| 15 | +# MDO API Vendor Ecosystem Integration Guide |
| 16 | + |
| 17 | +## Overview |
| 18 | + |
| 19 | +The API Vendor Ecosystem enables Microsoft Defender for Office 365 (MDO) to integrate with trusted third-party email security vendors. This integration supports a multi-layered defense strategy, allowing customers to benefit from niche capabilities provided by external partners while maintaining a unified experience within the Microsoft Security portal. |
| 20 | + |
| 21 | +This article outlines the goals, benefits, and deployment considerations for organizations participating in the API Vendor Ecosystem. |
| 22 | + |
| 23 | +> [!NOTE] |
| 24 | +> This guide outlines the integration experience and ecosystem principles. Specific API details aren't publicly available. |
| 25 | +
|
| 26 | +## Benefits of the API Vendor Ecosystem |
| 27 | + |
| 28 | +**Unified Quarantine**: View and manage quarantined emails from both MDO and third-party vendors in a single interface. |
| 29 | + |
| 30 | +**Consolidated Dashboards**: Access effectiveness metrics across all integrated solutions to understand detection coverage and outcomes. |
| 31 | + |
| 32 | +**Defense in Depth**: Enhance protection by layering third-party capabilities alongside MDO’s native defenses. |
| 33 | + |
| 34 | +**Streamlined Operations**: Seamless integration with cloud-native, API-enabled email security vendors through consolidated workflows and insights within the Microsoft 365 Security portal. |
| 35 | + |
| 36 | +## Prerequisites |
| 37 | + |
| 38 | +Integration features are available to customers with Microsoft Defender for Office 365 Plan 2 (P2) or Microsoft 365 E5 licenses. |
| 39 | + |
| 40 | +- Must be licensed with one of the following third-party solutions: |
| 41 | + |
| 42 | + - Darktrace/EMAIL |
| 43 | + |
| 44 | + - KnowBe4 Defend Platform |
| 45 | + |
| 46 | +## Getting Started |
| 47 | + |
| 48 | +1. **Check License Eligibility** |
| 49 | + |
| 50 | + 1. Ensure your tenant has MDO P2 or Microsoft 365 E5 licenses. |
| 51 | + |
| 52 | +1. **Select a Partner** |
| 53 | + |
| 54 | + 1. Choose from approved API vendors. |
| 55 | + |
| 56 | +1. **Enable Integration** |
| 57 | + |
| 58 | + 1. Once you onboard to the strategic integration partner, their solution is seamlessly and automatically incorporated into your security architecture. |
| 59 | + |
| 60 | +1. **Monitor and Manage** |
| 61 | + |
| 62 | + 1. Use the unified dashboards and quarantine to monitor threat activity and take action. |
| 63 | + |
| 64 | +## Understanding the Integration |
| 65 | + |
| 66 | +The integration works by allowing the third-party to pass in details on a specific message regarding the verdict, confidence level, and any threat details they would like to share via a private Microsoft Graph API. Microsoft Defender for Office 365 acknowledges the verdict provided and determine what the highest verdict on a message was. MDO updates the message and/or logs with the verdict information, moving the message to the user policy-specified location. You can see the results of this integration in multiple unified experiences, including Reporting, Advanced Hunting, Email Entity, Quarantine, and Threat Explorer. |
| 67 | + |
| 68 | +## Configuring your Policies |
| 69 | + |
| 70 | +To ensure optimal protection and consistent behavior across integrated solutions, it is essential to configure security policies appropriately in both Microsoft Defender for Office 365 (MDO) and any participating third-party vendor platforms. |
| 71 | + |
| 72 | +#### Microsoft Defender for Office 365 Policy Recommendations |
| 73 | + |
| 74 | +Microsoft recommends enabling either the **Standard** or **Strict** preset security policies for all users in your tenant. These presets are designed to provide a baseline of protection aligned with current threat intelligence and best practices. |
| 75 | + |
| 76 | +> [!TIP] |
| 77 | +> For more granular guidance on setting up user policies, refer to the official documentation on **[preset security policies](/defender-office-365/preset-security-policies)**. |
| 78 | +
|
| 79 | +Additionally, administrators are encouraged to use the [Configuration Analyzer](/defender-office-365/configuration-analyzer-for-security-policies) to identify and remediate deviations from recommended policy baselines. |
| 80 | + |
| 81 | +#### Policy Alignment with Third-Party Vendors |
| 82 | + |
| 83 | +To maintain consistent message handling and threat response across the ecosystem, it is critical to align policy configurations between MDO and the integrated third-party solution. This alignment ensures that messages flagged by either system exhibit predictable behavior and are surfaced appropriately in unified dashboards and quarantine views. |
| 84 | + |
| 85 | +Once policy alignment is established, the remainder of the integration lifecycle - including monitoring, reporting, and response - can be managed directly within the Microsoft 365 Security portal. |
| 86 | + |
| 87 | +## Portal Experiences |
| 88 | + |
| 89 | +The Microsoft 365 Defender portal provides a comprehensive and integrated experience for managing both native and third-party email security solutions. The following capabilities are enhanced through participation in the API Vendor Ecosystem: |
| 90 | + |
| 91 | +#### Unified Quarantine |
| 92 | + |
| 93 | +Messages quarantined by third-party vendors are surfaced within the Microsoft 365 Defender [quarantine](/defender-office-365/quarantine-about) experience. Security teams can search, preview, release, report, and take remediation actions on these messages using the same workflows applied to Microsoft Defender for Office 365 detections. This unified view reduces operational complexity and ensures consistent handling of threats across the email security stack. |
| 94 | + |
| 95 | +#### Threat Explorer |
| 96 | + |
| 97 | +[Threat Explorer](/defender-office-365/threat-explorer-real-time-detections-about) provides real-time visibility into email threats across the organization. Messages processed by third-party vendors and surfaced through the ecosystem are included in Explorer views, enabling analysts to investigate campaigns, trace message delivery paths, and correlate threat signals across detection sources. |
| 98 | + |
| 99 | +#### Email Entity |
| 100 | + |
| 101 | +The [Email Entity](/defender-office-365/mdo-email-entity-page) page consolidates all available metadata and telemetry for a given message, including headers, delivery events, detection verdicts, and user actions. For messages processed by ecosystem partners, the page includes vendor-specific detection technology, offering a complete forensic view in a single pane of glass. |
| 102 | + |
| 103 | +#### Advanced Hunting |
| 104 | + |
| 105 | +Security teams can use Microsoft 365 Defender’s [Advanced Hunting](/defender-xdr/advanced-hunting-overview) capabilities to query and correlate data across native and third-party detections. Vendor-submitted messages are represented in the [EmailEvents](/defender-xdr/advanced-hunting-emailevents-table) and [EmailPostDeliveryEvents](/defender-xdr/advanced-hunting-emailpostdeliveryevents-table) tables, with extended schema support for partner-specific attributes, including vendor-specific threat details. |
| 106 | + |
| 107 | +Use this example query to see third-party catch in Advanced Hunting. |
| 108 | + |
| 109 | + |
| 110 | +```kusto |
| 111 | +EmailEvents |
| 112 | +| where Timestamp > ago(7d) |
| 113 | +//List emails caught by a Third-party solution |
| 114 | +| where DetectionMethods contains "Thirdparty" |
| 115 | +| project NetworkMessageId, RecipientEmailAddress, ThreatTypes, DetectionMethods, AdditionalFields, LatestDeliveryLocation |
| 116 | +``` |
| 117 | + |
| 118 | +## Reporting |
| 119 | + |
| 120 | +The Microsoft 365 Defender portal provides a centralized reporting experience that consolidates telemetry from both Microsoft Defender for Office 365 (MDO) and integrated third-party vendors. This unified view enables security teams to assess the effectiveness of their entire email security stack in one place. |
| 121 | + |
| 122 | +The following dashboards display this information: |
| 123 | + |
| 124 | +**Detection totals** |
| 125 | + |
| 126 | +- *Defender for Office Mailflow blocks*: Messages that MDO caught during mailflow. These are unique messages that the third-party did not catch. |
| 127 | + |
| 128 | +- *Defender for Office Post-delivery blocks*: Messages that MDO caught after delivery, through ZAP. These are unique messages that the third-party did not catch. |
| 129 | + |
| 130 | +- *Non-Microsoft Post-delivery blocks*: Messages that the third-party caught. |
| 131 | + |
| 132 | +- *Duplicate blocks*: Messages that MDO caught during mailflow that the third-party also contributed a verdict on. |
| 133 | + |
| 134 | +- *Duplicate blocks (Defender for Office Post-delivery)*: Messages that MDO caught after delivery, through ZAP, that the third-party also contributed a verdict on. |
| 135 | + |
| 136 | +**Post-delivery catch by non-Microsoft solutions** |
| 137 | + |
| 138 | +- Shows the verdict types that the third-party provided on messages. This report is a breakdown of the Non-Microsoft Post-delivery blocks field in the Detection Totals report. |
| 139 | + |
| 140 | +## Frequently Asked Questions |
| 141 | + |
| 142 | +**I have multiple ICES/CAPES solutions. How does that work?** |
| 143 | + |
| 144 | +You can use this integration with multiple ICES/CAPES vendors as long as they're part of the API Vendor Ecosystem partnership. The integration works the same, where each third-party is able to provide verdicts on the messages in your mailboxes. You can see the third-party catch and be able to identify which third-party the catch is attributed to, within the security portal experiences. If multiple third parties send verdicts on the same message, both third-party verdicts and explainability are logged. The highest verdict between the third-party verdicts determines what action is taken on the message. |
| 145 | + |
| 146 | +**Which verdict takes precedence?** |
| 147 | + |
| 148 | +The "highest" verdict takes precedence. The precedence should be as follows (highest to lowest precedence): |
| 149 | + |
| 150 | +1. Malware |
| 151 | + |
| 152 | +1. High Confidence Phish |
| 153 | + |
| 154 | +1. Phish |
| 155 | + |
| 156 | +1. High Confidence Spam |
| 157 | + |
| 158 | +1. Spam |
| 159 | + |
| 160 | +1. Deleted |
| 161 | + |
| 162 | +1. Junk |
| 163 | + |
| 164 | +1. Clean or Not Spam |
| 165 | + |
| 166 | +**What if I utilize a different third-party application?** |
| 167 | + |
| 168 | +Currently, this integration only works for authorized partners which are Darktrace and KnowBe4. If you utilize a different ICES/CAPES vendor, you cannot take advantage of this integration. |
| 169 | + |
| 170 | +**Will I be charged for the third-party verdict data and actioning by MDO policies?** |
| 171 | + |
| 172 | +No, there is no charge for the integration. The integration and Graph API support are included as part of your Microsoft Defender for Office 365 Plan 2 licenses. |
| 173 | + |
| 174 | +**Why do I not see the Detection Totals and Post-delivery catch by non-Microsoft solutions reports?** |
| 175 | + |
| 176 | +The reports only show if you have activity from one of the authorized third-party partners in the past 90 days. |
| 177 | + |
| 178 | +## Feedback and Support |
| 179 | + |
| 180 | +To provide feedback or request support, contact your Microsoft account team or use the feedback link in the Microsoft 365 Security portal. |
| 181 | + |
0 commit comments