Runbooks

SSPM + Defender Endpoint POC — Internal M365 Tenant Setup & Test

Owner Build & Infrastructure Updated 2026-06-15 For Operator (Jerry); CyberSuite Engineer

SSPM + Defender Endpoint POC — Internal M365 Tenant Setup & Test

Document name: sspm-defender-poc-internal-tenant.md Version: 1.0.0 Last updated: 2026-06-15 Owned by: Build & Infrastructure Pairs with: microsoft-csp-ordering-guide.md (licensing), cybersuite-plans-control-coverage.md (C-02/C-11/C-15 SSPM coverage), project_microsoft_partner_csp memory.

Purpose

Stand up and test, in CyberSuite’s own M365 tenant (cybersuite.tech), the two Microsoft security capabilities behind the Sentinel tier and our internal device security:

SaaS Security Posture Management (SSPM) via Microsoft Defender for Cloud Apps — this is the Sentinel-tier deliverable (the SSPM that drives the FULL rating on controls C-02, C-11, and C-15 in the coverage map). Dogfooding it here validates the deliverable before we sell it.
Microsoft Defender for Endpoint (MDE) on one Windows PC and one Mac — this is internal device hardening + skilling on the Defender Suite. ⚠️ It is not the customer EDR — customer EDR is Huntress at every tier. We run MDE on our own machines to (a) secure them and (b) build hands-on Defender Suite fluency.

Why internal-only right now: Microsoft partner benefits are Internal-Use Rights (IUR) — license our own tenant/employees for dogfooding and POCs. Customer licenses come later via Pax8 CSP. Do not assign these to a customer tenant. See project_microsoft_partner_csp.

Definition of done: connector connected + SSPM recommendations visible; both devices onboarded, healthy, and each firing a test detection; evidence captured for the POC write-up (§7).

Prerequisites

Item	Requirement
Tenant	`cybersuite.tech` M365 tenant (our own).
Licensing	A license that includes Defender for Cloud Apps (SSPM) and Defender for Endpoint P1/P2. Defender for Cloud Apps standalone covers SSPM; the Microsoft Defender Suite add-on (formerly “E5 Security”) covers both MDE P2 + MDCA. Confirm which IUR licenses are assigned in admin.microsoft.com → Billing → Licenses before starting.
Roles	Security Administrator or Global Administrator for the Defender portal; Cloud Application Administrator (or Application Administrator) to connect the M365 app connector.
Portal	Microsoft Defender portal: security.microsoft.com. (Menus shift; if a path below moved, look under Settings → Cloud Apps or Settings → Endpoints.)
Devices	1 × Windows 10/11 PC (admin rights, Microsoft Defender Antivirus active) and 1 × Mac (macOS 13+ recommended, admin rights). Use lab/spare machines, not a production endpoint, for the test detections.

Licensing the POC (Partner Success Core)

This POC runs on Internal-Use Rights (IUR) from Partner Success Core ($925/yr) — our chosen partner package. Verified seats (2026, internal-use only — never assign to a customer): Microsoft Defender Suite ×15, Defender for Endpoint P2 ×15, Entra ID P2 ×15, M365 Business Premium ×15. Which seat unlocks which test:

POC test	License seat that unlocks it
Part A — SSPM (Defender for Cloud Apps)	Microsoft Defender Suite — it includes Defender for Cloud Apps. ⚠️ Business Premium alone does NOT carry SSPM.
Parts B/C — MDE on PC + Mac	Defender for Endpoint P2 (also inside the Defender Suite seat)
Identity hardening (Conditional Access, PIM)	Entra ID P2
Base tenant/user license	M365 Business Premium

One Partner Success Core purchase covers every test here, 15 seats each. Assign a Defender Suite seat to the test user before Part A — that’s what carries the SSPM entitlement.

Part A — SSPM via Microsoft Defender for Cloud Apps (the Sentinel deliverable)

SSPM gives posture visibility + actionable recommendations across connected SaaS apps, surfaced through Microsoft Secure Score. We connect the Microsoft 365 app connector first (that’s what drives SSPM for the M365 estate, which is what Sentinel customers run).

A1 — Open Defender for Cloud Apps

security.microsoft.com → left nav → Cloud apps. If it’s not visible, it’s gated by licensing/role — re-check Prerequisites.

A2 — Connect the Microsoft 365 app connector

Settings (gear) → Cloud Apps → Connected apps → App Connectors.
+ Connect an app → Microsoft 365.
Select all relevant components (Office 365, Azure AD/Entra) and Connect Office 365. You’ll be prompted to consent with a Cloud Application Administrator account.
Wait for status Connected (initial scan can take a few minutes to a couple hours).

A3 — Turn on Security recommendations for the connector

Same App Connectors list → filter to the Microsoft 365 connector → confirm Security recommendations is On (this is what feeds SSPM into Secure Score / Exposure Management).

A4 — Review the SSPM posture

Cloud apps → SaaS security posture (a.k.a. the posture/recommendations view), and cross-check Secure Score (security.microsoft.com → Secure score) for the M365 recommendations now flowing in.
Expect recommendations like: inactive/over-privileged accounts, MFA gaps, sharing/oversharing risks, admin-consent and OAuth app risks. These map to coverage-map controls — note any that touch C-02 (risk assessment input), C-11 (device/BYOD posture), C-15 (orphaned/stale accounts).

A5 — Remediate-and-recheck (validate the loop)

Pick one low-risk recommendation, remediate it, and confirm the recommendation clears / Secure Score moves on the next refresh. This proves the full SSPM loop a Sentinel customer would experience.

Part A success criteria: connector = Connected; Security recommendations = On; ≥1 SSPM recommendation reviewed; one remediation verified clearing. Screenshot each for §7.

Part B — Defender for Endpoint on the Windows PC (internal hardening)

B1 — Confirm prereqs: Windows 10/11, Microsoft Defender Antivirus running (not third-party AV in active mode).

B2 — Download the onboarding package

security.microsoft.com → Settings → Endpoints → Onboarding.
Operating system: Windows 10/11; Deployment method: Local Script (fine for a single POC device; use Intune for fleet later).
Download onboarding package and copy it to the PC.

B3 — Run the onboarding script

Extract; from an elevated command prompt run WindowsDefenderATPLocalOnboardingScript.cmd. Confirm success message.

B4 — Run the EDR detection test

In an elevated PowerShell on the device:

powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue'; (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\test-MDATP-test\invoice.exe'); Start-Process 'C:\test-MDATP-test\invoice.exe'

(Or drop the EICAR test string into a file.) A new alert should appear for the device in the Defender portal within ~10 minutes.

B5 — Baseline the device

Turn on Tamper Protection, Network Protection (block mode), and apply Attack Surface Reduction (ASR) rules. For the POC, set manually; for production fleet, push the Defender security baseline via Intune.

Part B success criteria: device shows in Assets → Devices with status Onboarded; the detection test produced an alert; Tamper Protection on. Screenshot for §7.

Part C — Defender for Endpoint on the Mac (internal hardening)

macOS onboarding requires granting OS-level permissions. Plan ~20–30 min hands-on at the machine.

C1 — Download the packages

security.microsoft.com → Settings → Endpoints → Onboarding → OS macOS → method Local script (manual deployment).
Download both: the installer wdav.pkg and the onboarding package (contains MicrosoftDefenderATPOnboardingMacOs.sh). Copy to the Mac.

C2 — Install

Run wdav.pkg (double-click → follow the installer).

C3 — Grant the required permissions (macOS will prompt; you can also set manually in System Settings → Privacy & Security):

System/Network Extension: approve when prompted, or Privacy & Security → Allow the Microsoft Defender extension. Restart if asked so the system extension loads.
Full Disk Access: Privacy & Security → Full Disk Access → enable Microsoft Defender and the Microsoft Defender Endpoint Security Extension (Catalina 10.15+ requires this to monitor).
Background item / Network filter: allow when prompted.

C4 — Run onboarding

Terminal: sudo bash /path/to/MicrosoftDefenderATPOnboardingMacOs.sh

C5 — Verify health and fire a detection

mdatp health → confirm healthy : true, licensed : true, real_time_protection_enabled : true, definitions_status : "up_to_date".
Detection test: mdatp threat simulate (or download the EICAR string with curl to a file). Confirm the device + alert appear in the Defender portal.

C6 — Baseline the Mac

Enable PUA protection (block), Network Protection, Tamper Protection (block). (Manual for POC; MDM/Intune config profiles for production.)

Part C success criteria: mdatp health all-green; device shows Onboarded in the portal; detection test produced an alert. Screenshot mdatp health + the portal alert for §7.

Validation matrix (the whole POC in one table)

#	Check	Where	Pass =
1	M365 connector connected	Cloud Apps → App Connectors	Status “Connected”
2	SSPM recommendations flowing	Cloud Apps posture / Secure Score	≥1 recommendation visible; one remediation clears
3	PC onboarded	Assets → Devices	Status “Onboarded”
4	PC detection	Incidents & alerts	Test alert within ~10 min
5	Mac onboarded + healthy	Assets → Devices / `mdatp health`	Onboarded; health all-true
6	Mac detection	Incidents & alerts	Test alert

POC sign-off — evidence to capture

Save to the data room / POC folder (also feeds the build-to-sell data room and the Sentinel deliverable proof):

Screenshot: M365 connector Connected + Security recommendations On.
Screenshot: one SSPM recommendation + the same recommendation cleared after remediation.
Screenshot: both devices Onboarded in Assets → Devices.
Screenshot: the three test alerts (PC + Mac + any SSPM detection).
Screenshot: mdatp health output.
One-paragraph note: did SSPM surface the orphaned-account / posture signals that justify the C-15 / C-11 / C-02 Sentinel ratings? (This is the direct link from POC → the Sentinel sales claim.)

Huntress + Microsoft Defender — the production EDR model

This is how Huntress and Microsoft Defender actually combine in the customer stack (and how to run it on our own machines). There are two distinct relationships — keep them straight.

1. Huntress manages Microsoft Defender Antivirus — WINDOWS ONLY

On Windows, Huntress takes over the free, built-in Microsoft Defender Antivirus as the prevention engine: it configures, tunes, monitors (24/7 SOC, ~8-min MTTR), and remediates Defender from the Huntress portal — at no extra license cost. This is the cost-efficient core of our Managed EDR line: Defender (free with Windows) does the blocking; Huntress is the managed brain + SOC on top. Budget that would buy a third-party AV goes to identity, SAT, and SIEM instead (our Defense/Sentinel stack).

⚠️ Microsoft-only / Windows-only. This “Huntress-managed free Defender AV” model exists only on Windows, because Microsoft Defender Antivirus is a Windows feature. macOS has no free built-in Microsoft AV — the Mac path is different (see below). Do not assume the Windows AV-replacement economics carry to Mac.

Deploy on Windows (internal test):

Huntress portal → enable Managed Microsoft Defender / Managed Antivirus for the org.
Deploy the Huntress agent to the PC (RMM/Syncro, GPO/Intune, or the manual installer from the Huntress portal).
Huntress detects the built-in Defender and takes over management. Set the Defender policy from Huntress: real-time + cloud-delivered protection, PUA block, controlled folder access, exclusions, scan schedule, tamper protection.
Verify: the endpoint shows Microsoft Defender — Managed in Huntress, and a test detection surfaces in Huntress (not just the Defender portal).

2. Huntress integrates with Microsoft Defender for Endpoint (telemetry) — Windows + macOS

Separately, Huntress can ingest telemetry from Microsoft Defender for Endpoint (the paid EDR — MDE / Defender for Business / Defender for Endpoint for macOS) into the Huntress SOC, so you get more value from the Defender licenses alongside Huntress’ own EDR. This works on Windows and macOS.

Requirement: MDE must be fully deployed to the endpoints first (Parts B/C). If MDE isn’t deployed, the Huntress integration receives no data.

Enable the integration:

Deploy MDE to the endpoints (Parts B/C above).
Huntress portal → Integrations → Microsoft Defender for Endpoint → Set up.
Authorize: sign in as Global Administrator to the M365 tenant and grant the Huntress Defender for Endpoint application permissions.
Confirm MDE events start flowing into Huntress.

Deploying on a Mac — the full Mac path

Because there’s no free built-in Microsoft AV on Mac, the Mac stack is not “Huntress-managed Defender AV.” It is:

Huntress macOS EDR agent (primary). Deploy the Huntress .pkg to the Mac via RMM/Syncro, an MDM/Intune configuration profile, or the manual installer from the Huntress portal (Add Agent → macOS). On first run, grant the macOS permissions it prompts for in System Settings → Privacy & Security:
- Full Disk Access for the Huntress agent,
- System / Network Extension — Allow when prompted (restart if asked),
- Background item — allow. The Huntress macOS agent also reads XProtect (macOS’s built-in malware protection) detections — that’s the Mac equivalent of “watch the built-in protection,” and it carries prevention visibility on Mac in place of the Windows Defender-AV role.
(Optional) Microsoft Defender for Endpoint for macOS (paid). If you want Microsoft’s EDR telemetry on the Mac too, deploy it per Part C above (install wdav.pkg, grant Full Disk Access + extension approvals, run the onboarding script, verify with mdatp health). Then connect the Huntress ↔ Defender for Endpoint integration (relationship #2) so Huntress ingests the Mac’s Defender telemetry.
Verify in the Huntress portal: the Mac appears as a managed macOS endpoint, and XProtect (and, if deployed, MDE-for-Mac) detections show up in Huntress.

Net for our stack: on Windows, Huntress manages the free Defender AV (no AV cost) + 24/7 SOC. On macOS, the Huntress agent + XProtect carry prevention/EDR, with optional MDE-for-Mac telemetry layered in via the integration. Either way the customer-facing EDR brand and SOC is Huntress — Microsoft Defender is the engine/telemetry, never a second EDR we pay for on top.

Productization notes (POC → Sentinel)

SSPM is the customer-facing piece. Once validated here, the Sentinel deliverable is: connect the customer’s M365 via Defender for Cloud Apps (their licenses, via Pax8 CSP + GDAP), and operationalize the posture recommendations. SSPM is M365-only — Workspace customers max out at Defense (already reflected in the coverage map and the website).
Defender for Endpoint stays internal unless/until we decide to consolidate the customer stack onto Microsoft-native (a separate Operations/B&I decision — today customer EDR is Huntress). Don’t conflate the two in customer materials.
Licensing gate: customer rollout needs the registered MS Indirect Reseller + Pax8 CSP path (now approved — see project_microsoft_partner_csp); internal POC runs on IUR.
Customer on M365 but no Defender license, wants endpoint protection on a Mac? Our standard Mac protection does not need one — the Huntress macOS agent is the EDR at every tier; it’s license-independent (uses native macOS XProtect), so a missing Microsoft Defender license is not a protection gap. Microsoft Defender for Endpoint on a customer Mac is only relevant if the firm specifically wants Microsoft-native endpoint or wants to feed the Huntress↔Defender telemetry integration. To license it then: M365 Business Premium includes Defender for Business, which covers macOS EDR — most of our ICP are (or should be) on Business Premium, our anchor resale SKU; if they’re on a lower SKU, resell Defender for Business (~$3/user/mo) standalone via Pax8 CSP. Treat it as an optional resold upsell, not a gap we must fill. (Prices: microsoft-csp-ordering-guide.md.)

Teardown / offboarding (only if needed)

Endpoints: Defender portal → Settings → Endpoints → Offboarding → download the OS-specific offboarding package and run it (note: offboarding packages expire 7 days after download).
Connector: Cloud Apps → App Connectors → remove the Microsoft 365 connector (leaves the tenant untouched; just stops MDCA collection).

References (Microsoft Learn)

SSPM overview — https://learn.microsoft.com/en-us/defender-cloud-apps/posture-overview
Connect Microsoft 365 to Defender for Cloud Apps — https://learn.microsoft.com/en-us/defender-cloud-apps/protect-office-365
Onboard Windows devices — https://learn.microsoft.com/en-us/defender-endpoint/onboarding
EDR detection test — https://learn.microsoft.com/en-us/defender-endpoint/edr-detection
Manual deployment on macOS — https://learn.microsoft.com/en-us/defender-endpoint/mac-install-manually
macOS system extension troubleshooting — https://learn.microsoft.com/en-us/defender-endpoint/mac-support-sys-ext
Huntress — Managed Microsoft Defender (Windows AV management) — https://www.huntress.com/platform/managed-edr/managed-microsoft-defender
Huntress — Managed EDR for macOS — https://www.huntress.com/platform/managed-edr/macos
Huntress Support — Defender for Endpoint Integration Setup (Global-Admin authorization; MDE must be deployed first) — https://support.huntress.io/hc/en-us/articles/30712039505683-Defender-for-Endpoint-Integration-Setup