Merge pull request #4421 from MicrosoftDocs/main

[AutoPublish] main to live - 07/04 01:35 PDT | 07/04 14:05 IST

Author: m365-skilling-repo-management[bot]

defender-xdr/before-you-begin-xdr.md

@@ -17,7 +17,7 @@ ms.custom:
 - cx-ti
 - cx-dex
 search.appverid: met150
-ms.date: 04/24/2025
+ms.date: 07/04/2025
 ---
 
 # Before you begin using Defender Experts for XDR
@@ -28,25 +28,36 @@ ms.date: 04/24/2025
 
 This document outlines the key prerequisites you must meet and essential information you must know before purchasing the Microsoft Defender Experts for XDR service.
 
-## Eligibility and licensing
+## Prerequisites and licensing
 
 Defender Experts for XDR is a separate service from your existing Defender products. To enable us to get started with this managed service, we require the following licensing prerequisites:
 
-- Microsoft Defender for Endpoint P2 must be licensed and enabled on eligible devices
-- Microsoft Defender Antivirus must be licensed and enabled in active mode on devices onboarded to Defender for Endpoint (required for endpoint detection and response capabilities)
-- Microsoft Entra ID P1 must be licensed for all users and enabled (required for enabling secure service provider access)
+-	Microsoft Entra ID P1 must be licensed for all users and enabled (required for enabling secure service provider access).
+-	**At least one** Microsoft Defender product (Microsoft Defender for Endpoint, Microsoft Defender for Office 365 P2, Microsoft Defender for Identity, or Microsoft Defender for Cloud Apps) must be licensed and deployed in active mode.
 
-The following products are also eligible to get Defender Experts for XDR coverage, and you must have their appropriate product licenses to get started with the service:
+### Product Eligibility
 
-- Microsoft Defender for Office 365 P2
-- Microsoft Defender for Identity
-- Microsoft Defender for Cloud Apps
+Defender Experts for XDR provides managed detection and response across any combination of the following Microsoft Defender products:
+-	Defender for Endpoint
+-	Defender for Office 365 P2
+-	Defender for Identity
+-	Defender for Cloud Apps
 
-The following product is **not** covered by this service:
+To begin service operations, at least one of these products must be appropriately licensed and deployed in active mode. Even if some products—such as Defender for Endpoint—aren't configured in active mode, Defender Experts can still provide coverage for the other eligible products in your environment. However, the depth of response might vary. For more information, see [Product configuration and service coverage](#product-configuration-and-service-coverage).
 
-- Microsoft Defender for IoT
+The following product isn't covered by this service:
+-	Microsoft Defender for IoT
+
+### Product configuration and service coverage
+Defender Experts for XDR provides managed detection and response across Microsoft Defender products that are licensed and properly deployed in your environment.
+While all Defender products (except Defender for IoT) can be included in the service, the depth of coverage might vary depending on how each product is configured. 
+-	**Products deployed in active mode are fully covered.** Defender Experts investigate and respond to incidents involved in these products on your behalf.
+-	**Products deployed in passive mode might be non-actionable by Defender Experts.** In such cases, guided response might still be provided, but no remediation actions are taken on your behalf.
+
+We recommend ensuring that at least one product, such as Defender for Endpoint or Defender for Office 365, is deployed in active mode. This enables Defender Experts to take direct action on high-priority threats, including advanced attacks like adversary-in-the-middle (AiTM).
+
+For maximum, native coverage, we recommend deploying the full Microsoft Defender XDR suite and enabling all eligible products in active mode.
 
-Defender Experts for XDR is a managed extended detection and response (XDR) service. To get native XDR coverage, we recommend deploying the full Microsoft Defender XDR suite.
 
 ### Server coverage
 
@@ -55,7 +66,7 @@ Defender Experts for XDR also covers servers—whether on premises or on a hyper
 
 ### Ask Defender Experts
 
-[Ask Defender Experts](experts-on-demand.md) is intended to provide a better understanding of complex threats affecting your organization. It focuses on products included in Microsoft Defender XDR (Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity). [See sample questions you can ask Defender Experts](experts-on-demand.md#sample-questions-you-can-ask-from-defender-experts).
+[Ask Defender Experts](experts-on-demand.md) is intended to provide a better understanding of complex threats affecting your organization. It focuses on products included in Microsoft Defender XDR (Defender for Endpoint, Defender for Office 365, Defender for Cloud Apps, and Defender for Identity). [See sample questions you can ask Defender Experts](experts-on-demand.md#sample-questions-you-can-ask-from-defender-experts).
 
 As part of the service's built-in [Microsoft Defender Experts for Hunting](defender-experts-for-hunting.md), customers are assigned 10 **Ask Defender Experts** credits, which you can use to submit questions, at the start of each calendar quarter. Unused credits from the current quarter roll up to the next one. You can use up to 20 credits only per quarter. All unused credits expire by the end of the calendar year or at the end of your subscription term, whichever comes first.
 

defender-xdr/defender-experts-scoped-coverage.md

@@ -56,7 +56,7 @@ Currently, the service doesn't offer support to rename these predefined groups,
 The following section lists down questions that you or your SOC team might have regarding scoped coverage:
 
 1. **What aspects of the XDR service remain consistent with Defender Experts scoped coverage?**
-   - This service doesn't change our pricing structure. You still pay for Defender Experts service based on [E5](before-you-begin-xdr.md#eligibility-and-licensing) and Microsoft Defender for Endpoint for Servers for your desired user base.
+   - This service doesn't change our pricing structure. You still pay for Defender Experts service based on [E5](before-you-begin-xdr.md#prerequisites-and-licensing) and Microsoft Defender for Endpoint for Servers for your desired user base.
    - This service doesn't scope according to individual Microsoft Defender products and services (such as Microsoft Defender for Endpoint, Microsoft Defender for Office 365, or Microsoft Defender for Cloud). That is, the minimum baseline for scoped coverage is still the E5 license.
    - There's no change in permissions for analysts in Defender Experts for XDR. Defender Experts analysts will still have access to your entire tenant and not just the scoped assets.
 

defender-xdr/faq-defender-experts-hunting.md

@@ -17,7 +17,7 @@ ms.custom:
 - cx-ti
 - cx-ean
 search.appverid: met150
-ms.date: 01/12/2025
+ms.date: 06/27/2025
 ---
 
 # General information on Microsoft Defender Experts for Hunting service

defender-xdr/frequently-asked-questions.md

@@ -16,7 +16,7 @@ ms.custom:
 - cx-ti
 - cx-dex
 search.appverid: met150
-ms.date: 10/30/2024
+ms.date: 06/27/2025
 ---
 
 # General information on Defender Experts for XDR service