# EDR setup: MS Defender

{% hint style="warning" %}
The management of MS Defender EDR is currently in Beta. Let us know if you have any feedback or encounter any issues.
{% endhint %}

As part of its MDR (Managed Detection and Response) offering, Stoïk manages the Microsoft EDR/XDR configuration. Unlike CrowdStrike or SentinelOne, Stoïk does not sell Microsoft Defender licences, we only manage them. The licences remain yours, and you stay in control of your Microsoft tenant. For Stoïk to deliver the MDR service on Microsoft Defender, your console must be connected to Stoïk so that:

* Monitored hosts and alerts flow into Stoïk's systems and are handled by the Stoïk CERT team 24/7
* You get full visibility on your MDR activity (hosts, alerts, investigations) directly in Stoïk Protect

{% stepper %}
{% step %}

### Update your licences

This must be done during the discussion with your Stoïk sales representative, as part of the Stoïk MDR purchase. Stoïk does not purchase the licences on your behalf for Microsoft MDR.
{% endstep %}

{% step %}

### Deploy your licences

* **Endpoints (workstations):** no deployment needed, licences are automatically applied as soon as they are assigned.
* **Servers:** a dedicated licence is required. Subscribe it first via [Update your licences](#update-your-licences), then deploy it using the `.exe` installer Microsoft provides.
  {% endstep %}

{% step %}

### Connect your Microsoft tenant to Stoïk

This is the step that links your Microsoft Defender console to Stoïk, so that alerts and hosts flow into Stoïk's investigation platform and into Stoïk Protect. The setup has three parts:

* **Part A**: done in a single click from Stoïk Protect (this authorises Stoïk to read alerts and hosts from your Defender tenant).
* **Part B.1**: invite a dedicated external user to give the Stoïk CERT team access to the Microsoft Defender portal.
* **Part B.2**: add XDR Defender permissions (required if Defender RBAC is enabled on your tenant).

#### Part A: Authorise Stoïk from Stoïk Protect

{% hint style="info" %}
Prerequisite: you must be signed into Microsoft with an administrator account that has **Global Admin** rights.
{% endhint %}

{% stepper %}
{% step %}
Log in to [Stoïk Protect](https://app.stoik.io) with your Stoïk account.
{% endstep %}

{% step %}
Go to `MDR` > `Settings`.
{% endstep %}

{% step %}
Click **Connect your Microsoft account**.

<figure><img src="/files/ZOyf8KNIKg0l2HEQNgsT" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}
You are redirected to Microsoft. Review the permissions requested by the Stoïk MDR application and click **Accept**.
{% endstep %}

{% step %}
You are sent back to Stoïk Protect. The **Settings** page will show the connection as **Connected**, along with the detected Microsoft Tenant ID. Once Part A is complete, your Microsoft Defender alerts will start flowing into Stoïk. You can already see monitored hosts and alerts in `Stoïk Protect` > `MDR`.
{% endstep %}
{% endstepper %}

#### Part B.1: Invite the Stoïk MDR user

To let the Stoïk CERT team use the Microsoft investigation console and conduct large-scale investigations on your tenant, you must invite a dedicated external user.

{% stepper %}
{% step %}
Go to [portal.azure.com](https://portal.azure.com) with an account that has **Global Admin** rights.
{% endstep %}

{% step %}
In the top search bar, type **Users** and open the user management section.

<figure><img src="/files/AEcEcZZQFFcCt6iZXqeK" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}
Click **All Users**, then **Invite external user**.

<figure><img src="/files/TWbGbetO80ycBReTFkTF" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}
Fill in:

* **Email address:** `mdr_api@stoikcert.onmicrosoft.com`
* **Display name:** `Stoik_Mdr_Api`

Copy your **tenant ID** (displayed at step 3 of the invite form), you'll need it later.

<figure><img src="/files/rklfGHyGPrz8VMB5JhlJ" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}
Go to the **Assignments** tab, click **Add role**, search for and select **Security Operator**, then click **Select**.

<figure><img src="/files/xSjbPmY8uxLvmE3gA6GU" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}
Click **Review + invite**, then **Invite** to finalize.

<figure><img src="/files/KQrJZvCYpdlZ6D6qXFSZ" alt="" width="375"><figcaption></figcaption></figure>
{% endstep %}
{% endstepper %}

#### Part B.2: Add XDR Defender permissions (if Defender RBAC is enabled)

{% hint style="info" %}
Defender XDR role management via RBAC is enabled by default on most tenants. If it is active on yours, complete the steps below. If not, you can skip this section.
{% endhint %}

{% stepper %}
{% step %}
Go to [security.microsoft.com](https://security.microsoft.com) with an account that has **Global Admin** rights.
{% endstep %}

{% step %}
Expand `System`, click `Permissions`, then under `Microsoft Defender XDR`, select `Roles`.

<figure><img src="/files/UJxtnp7H3ntpZmPlGciQ" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}
Click **Create a custom role** and fill **Role Name** with `stoik_mdr_role`.

![](/files/S6fX1GpBTbp4o1IY7voK)

<figure><img src="/files/G9OyHAOklUHna2c3NpH4" alt="" width="375"><figcaption></figcaption></figure>
{% endstep %}

{% step %}
Grant permissions: for each of the three permission groups, select **All read and management permissions**, click **Apply**, then **Next**.

<figure><img src="/files/fjK9fa2ms5UeYtkIrd59" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}
Add the assignment:

* Click **Add assignment**.
* Name: `stoik_mdr_assignment`.
* Employees: type `mdr_api@stoikcert.onmicrosoft.com` and click the user icon that appears to validate.
* Select **All data sources**.
* Tick **Include automatically all future data sources**.
* Click **Add**, then **Next**.

![](/files/LPgrOppjJH1OYnizH7ma)
{% endstep %}

{% step %}
Click **Submit** to finalize.

<figure><img src="/files/HR5C5cLb7h3BVQW1Z1sx" alt=""><figcaption></figcaption></figure>
{% endstep %}
{% endstepper %}

#### Notify Stoïk

Once Part B is complete, send an email to <protect@stoik.io> with your **Microsoft Tenant ID** (copied at step 4 of the previous section). The Stoïk CERT team will finalize the activation on our side.
{% endstep %}
{% endstepper %}

## Troubleshooting

**The "Connect your Microsoft account" button in Stoïk Protect returns an error.**\
Make sure you are signed into Microsoft with a **Global Admin** account.

**The connection shows as "Connected" in Stoïk Protect but I don't see any host or alert.**\
It can take up to a few hours for the first data sync.

For any unresolved issue or to revoke Stoïk's access to your Microsoft Defender tenant, contact <protect@stoik.io>.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.stoik.io/stoik-mdr/edr-setup-ms-defender.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.