Edit

Share via

Configure Defender for Identity automated response exclusions

Note

The experience described in this page can be accessed at https://security.microsoft.com as part of Microsoft Defender XDR.

This article explains how to configure Microsoft Defender for Identity automated response exclusions in Microsoft Defender XDR.

Microsoft Defender for Identity enables the exclusion of Active Directory accounts from automated response actions, used in Automatic Attack Disruption. Automated response exclusions do not apply to responses triggered by Custom Detections.

For example, an incident involving Attack Disruption, where response actions are taken automatically, wouldn't disable a specified excluded account. This could be used, for example, to exclude sensitive accounts from automated actions.

How to add automated response exclusions

  1. In the Microsoft Defender XDR portal, go to Settings and then Microsoft Defender XDR.

    Go to Settings, then Microsoft Defender XDR.

  2. You'll see Automated response > Identities in the left-side menu.

    Go to Automated response then Identities.

  3. To exclude specific users, select Add User Exclusion.

    Exclude specific users.

  4. Search for the users to exclude and select the Exclude Users button.

    Choose which users to exclude.

  5. To remove excluded users, select the relevant users from the list and select the Remove button.

    Remove excluded users.

See also