Back to Learning Center

Microsoft Defender EASM: Solution Overview and Tutorial

What Is Microsoft Defender EASM?

Microsoft Defender External Attack Surface Management (EASM) is a cybersecurity solution designed to secure digital environments by managing the external attack surface. This tool provides visibility into assets visible to potential attackers.

Defender EASM supports security postures by uncovering hidden threats and vulnerabilities. As organizations grow, their digital footprint increases. Microsoft Defender EASM aids in managing these assets, ensuring they are monitored and protected against external threats.

Key Features of Microsoft Defender EASM

Microsoft Defender External Attack Surface Management (EASM) offers the following capabilities:

  • Discovery and inventory: Helps identify assets connected to the organization, including previously unknown or unmonitored ones. The discovery process includes domains, IP blocks, hosts, email contacts, ASNs, and WHOIS organizations. It indexes and categorizes these assets.
  • Risk insight dashboards: Dashboards provide an at-a-glance view of the organization’s online infrastructure, highlighting critical risks such as vulnerabilities and compliance gaps.
  • Asset management and custom filtering: Allows users to filter and customize the inventory view based on specific needs, such as isolating assets linked to deprecated infrastructure or identifying new cloud resources.
  • Role-based user permissions: Owners and Contributors can create, modify, and delete resources, while Readers can only view data, maintaining strict control over sensitive information.
  • Data residency and compliance: Microsoft adheres to strict compliance standards, with customer-specific data stored in regions chosen by the customer. Data retention policies ensure that customer data is securely deleted after 180 days if they cease to be a customer.
  • Global and customer-specific data integration: Integrates global Microsoft data with customer-applied labels to offer a unified view of the attack surface.

How Microsoft Defender EASM Works

Microsoft Defender External Attack Surface Management (EASM) provides a systematic approach to identify and manage the assets within an organization’s external attack surface. Its discovery process ensures comprehensive visibility, addressing risks associated with unmonitored or unknown digital properties.

Here’s how it operates:

  • Discovery capabilities: The system begins with “seeds,” which are known assets like domains, IP blocks, hosts, email contacts, ASNs, or WHOIS organizations. These seeds serve as starting points for recursive scans, identifying associated infrastructure and revealing additional assets that are connected to the organization.
  • Recursive asset mapping: The discovery engine uses each seed to explore first-level connections, such as domains registered with the same contact email or hosts resolving to shared IP blocks. These connections expand into second-level and third-level links, creating a detailed map of the attack surface. The process continues until the system reaches the boundaries of assets the organization is responsible for managing.
  • Automated and customized inventories: Organizations can start with prebuilt inventories derived from Microsoft’s existing data or create customized inventories using Discovery Groups. These groups allow users to manage seed lists and schedule recurrent discoveries, tailoring the process to their needs.
  • Dynamic asset classification: Discovered assets are categorized into several states, including approved inventory, dependencies, candidate assets, “monitor only” assets, and items requiring investigation.
  • Continuous monitoring: Once the inventory is populated, Defender EASM repeatedly scans the assets using virtual user technology. This process gathers data on asset behavior and content, uncovering vulnerabilities, compliance issues, and other risks.
  • Unified management: All discovered assets are indexed in a centralized inventory, providing a dynamic system of record.

Tutorial #1: Create a Defender EASM Azure Resource

This guide explains how to set up a Microsoft Defender External Attack Surface Management (Defender EASM) Azure resource using the Azure portal. Instructions in this tutorial and the following one are adapted from the Defender EASM documentation.

Prerequisites

Before proceeding, ensure the following:

  • You have an Azure subscription or have created a free Azure account.
  • You hold a Contributor role in Azure.
  • Familiarize yourself with the Azure portal.

Steps to Create a Defender EASM Azure Resource

  1. Create a resource group
  • Log in to the Azure portal and select Resource Groups from the homepage.
  • Click Create.
  • Fill in the following Subscription, Resource Group, and Region fields.
  • Click Review + Create to confirm the details and then select Create.

Source: Azure

  • Create a Defender EASM resource
    • In the Azure portal search bar, type Microsoft Defender EASM and press Enter.
    • From the results, click Create to start creating a Defender EASM resource.
    • Fill in the Subscription, Resource Group, Name, and Region fields.
    • Click Review + Create to validate the entries, and then select Create.

    Source: Azure

    Once the resource is successfully created, you can navigate to it and begin using Defender EASM to manage and secure your external attack surface.

    Product Limitations

    As you evaluate Microsoft Defender EASM, you should be aware of the following limitations, reported by users on the G2 platform:

    • Complex setup and integration: Initial configuration and integration can be challenging, particularly for organizations with diverse IT environments. The learning curve for new users may require significant time and effort.
    • Interface and navigation challenges: The user interface could benefit from enhancements to improve navigation and usability. Users sometimes report getting lost while navigating the tool, indicating a need for a more intuitive flow.
    • Performance issues: The tool may experience slower performance during peak usage times, and its processing power and storage requirements can be high compared to similar solutions.
    • False positives: Defender EASM occasionally generates false positives, requiring additional manual checks to validate findings. This can impact the efficiency of vulnerability management processes.
    • UI and data management enhancements needed: The data placement, filtering options, and overall user experience could be more refined to meet user needs effectively.
    • Stability issues: Some users report occasional software bugs, especially following Windows updates, which can disrupt operations.
    • Overblocking and configuration complexity: The solution can sometimes enforce overly simplistic blockings, potentially leading to unnecessary interruptions. Additionally, its configuration is perceived as more complex than competing tools.
    • Cost considerations: While pricing is generally reasonable, it may be on the higher side for some organizations, especially smaller ones with limited budgets.
    Complimentary Report

    GigaOm Radar for Attack Surface Management 2025

    Assess the value and progression of ASM solutions to help you select the best solution.

    Access the GigaOm Radar for Attack Surface Management 2025 to get an overview of the available ASM solutions, identify leading offerings, and evaluate the best solution for you.

    Get the Report

    Tutorial #2: Using and Managing Discovery with Defender EASM

    This tutorial guides you through accessing and managing external asset discovery in Microsoft Defender External Attack Surface Management (EASM).

    Step 1: Access Your Automated Attack Surface

    1. Locate your preconfigured attack surface:
    • Open the Defender EASM instance and select Getting started under the General section.
    • Use the search function to locate your organization’s attack surface from the list of preconfigured attack surfaces.
  • Build your attack surface
    • Choose your organization from the list and select Build my attack surface. This initiates a background discovery process.
    • Once the process begins, you will be redirected to the dashboard in Preview Mode, where you can explore initial insights about your infrastructure.
  • Review dashboard insights
    • Use the dashboard to examine discovered assets, vulnerabilities, and risks. This provides a comprehensive overview of your external attack surface.

    Source: Microsoft

    Step 2: Customize Discovery

    Custom discoveries help you identify outlier assets or infrastructure linked to subsidiaries, acquired entities, or independent business units.

    1. Create a discovery group:
    • Navigate to the Discovery section under the Manage menu in the left pane.
    • Select Add discovery group to create a new group.
    • Provide a name, description, and set the Recurring frequency. The default recurrence is Weekly, which is recommended for continuous monitoring. You can set it to Never for a one-time scan.
    • Click Next: Seeds.

    Source: Microsoft

  • Add discovery seeds:
    • Seeds represent known assets like domains, IP blocks, email contacts, or Whois organizations.
    • Use the Quick Start option to search for preconfigured assets linked to your organization.
    • Manually input assets in supported formats.
  • Exclude entities (optional): Specify assets to exclude from discovery, such as infrastructure linked to subsidiaries, by adding them to the exclusion list.
  • Review and create: Review the group details and seed list, then click Create & Run to start the discovery process.

    • Step 3: Manage Discovery Groups

    1. View and edit groups:
    • The Discovery page displays a list of all discovery groups. For each group, you can view details, edit configurations, or initiate a new discovery run.
    • Use the Run History section for insights on completed discoveries, including new assets added to your inventory.
  • Monitor seeds and exclusions:
    • Use the Seeds tab to view all seed assets, their types, and associated discovery groups.
    • Use the Exclusions tab to manage entities excluded from the discovery process.

    Source: Microsoft

    Asset Discovery Limitations

    When using Defender EASM for discovery, you should be aware of these important limitations:

    • Dependence on Seed Assets: The discovery process heavily relies on pre-knowledge and submission of known assets, such as domains, IP ranges, and email contacts, as seeds. This reliance makes it challenging to detect assets in unknown or unstructured organizational environments, particularly for IT security teams managing external attack surfaces.
    • Lack of Organizational Context: Defender EASM does not provide robust organizational mapping or business context, which can hinder accurate asset classification and attribution. This limitation impacts the ability to tie assets to specific business units or subsidiaries effectively.
    • Passive Scanning Techniques: The tool primarily utilizes passive scanning methods for vulnerability assessments. Active testing, which can provide more definitive insights into asset security and remediation effectiveness, is not supported.
    • Weak Issue Prioritization: Risk prioritization relies on CVSS scores. This method may not fully account for context-specific risks, which can impact an organization’s ability to address the most critical vulnerabilities effectively.
    • Lack of Remediation Validation: Defender EASM does not support active testing to validate whether remediation efforts have successfully mitigated identified risks. This limitation can leave organizations uncertain about the security state of their assets.

    CyCognito: The Top Alternative to Microsoft Defender EASM

    The CyCognito platform addresses today’s exposure management requirements by taking an automated multi-faceted approach in identifying and remediating critical issues based on their business impact, rather than focusing on the generic severity of the threat alone. To do this you need a platform that is continuously monitoring the attack surface for changes and provides intelligent prioritization that incorporates organizations context.

    The CyCognito platform addresses today’s vulnerability management requirements by:

    • Maintaining a dynamic asset inventory with classification of the entire external attack surface, including exposed on-premise and cloud-hosted assets like web applications, IP addresses, domains and certificates, eliminating the need to rely on outdated or incomplete information from collaboration tools, spreadsheets, or emails. This approach significantly reduces the burden of tedious, error-prone and costly processes.
    • Actively testing all discovered assets to identify risk. Active testing, including dynamic application security testing, or DAST, uncovers complex issues and validates known issues, with low false positives. Each exploited asset is assigned a security grade based on its criticality to the business.
    • Prioritizing critical issues, guiding security teams to focus on the most urgent threats. Our unique risk-based prioritization analysis goes beyond the common vulnerability scoring system (CVSS), and incorporates factors like asset discoverability, asset attractiveness, exploitability, business impact and remediation complexity. Integrated tactical threat intelligence identifies the handful of attack vectors that pose the greatest risk.
    • Streamlining communications between remediation teams by providing comprehensive, verifiable evidence for each exploited asset. This evidence includes detailed risk assessments, asset ownership information, and actionable remediation guidance. The platform seamlessly integrates with SIEM, SOAR and ticketing system tools like Jira, ServiceNow and Splunk to facilitate information sharing and collaboration.

    Learn more about the Cycognito Attack Surface Management Platform.

    Complimentary Report

    GigaOm Radar for Attack Surface Management 2025

    Assess the value and progression of ASM solutions to help you select the best solution.

    Access the GigaOm Radar for Attack Surface Management 2025 to get an overview of the available ASM solutions, identify leading offerings, and evaluate the best solution for you.

    Get the Report

    Explore all guides

    API Security

    API Security

    APIs, the unseen connections powering modern apps, can be vulnerable entry points for attackers. Weak API security exposes sensitive data and critical functions, potentially leading to breaches and disruptions.

    Learn More about API Security
    Application Security

    Application Security

    Application security (AppSec) involves safeguarding applications against threats throughout their lifecycle. This encompasses the entire process from design to deployment, ensuring that applications remain resilient against cyber threats.

    Learn More about Application Security
    Attack Surface

    Attack Surface

    In cybersecurity, a surface attack, or more commonly, attack surface, refers to all the potential vulnerabilities and entry points within a system or network that an attacker could exploit to gain unauthorized access or cause harm. It encompasses all possible avenues for attack.

    Learn More about Attack Surface
    Cloud Security

    Cloud Security

    Cloud security refers to the discipline of protecting cloud-based infrastructure, applications, and data from internal and external threats.

    Learn More about Cloud Security
    Cyber Attack

    Cyber Attack

    A cyber attack is an attempt by hackers to damage or disrupt a computer network or system.

    Learn More about Cyber Attack
    DRPS

    DRPS

    A digital risk protection service (DRPS) offers visibility and defense against cybersecurity threats to an organization’s digital attack surfaces.

    Learn More about DRPS
    Exposure Management

    Exposure Management

    Exposure management is a set of processes which allow organizations to assess the visibility, accessibility, and risk factors of their digital assets.

    Learn More about Exposure Management
    Penetration Testing

    Penetration Testing

    Penetration testing, often called pentesting, is a simulated cyberattack on a computer system, network, or application to identify vulnerabilities.

    Learn More about Penetration Testing
    Red Teaming

    Red Teaming

    Red teaming is a security assessment method where a team simulates a real-world cyberattack on an organization to identify vulnerabilities and weaknesses in their defenses. This helps organizations improve their security posture by revealing potential attack vectors and response inefficiencies.

    Learn More about Red Teaming
    Threat Hunting

    Threat Hunting

    Threat hunting is a proactive cybersecurity practice where security teams search for and isolate advanced threats that have bypassed traditional security measures. It involves actively searching for malicious activity within a network, rather than just responding to alerts from security systems.

    Learn More about Threat Hunting
    Threat Intelligence

    Threat Intelligence

    Threat intelligence is the process of gathering, analyzing, and interpreting information about potential or actual cyber threats to an organization. It’s a proactive approach that helps organizations understand the threat landscape, identify risks, and implement effective security measures.

    Learn More about Threat Intelligence
    Vulnerability Assessment

    Vulnerability Assessment

    Vulnerability assessment is the process of identifying, quantifying, and prioritizing vulnerabilities in a system.

    Learn More about Vulnerability Assessment
    Vulnerability Management

    Vulnerability Management

    Vulnerability management is a comprehensive approach to identifying and reporting on security vulnerabilities in systems and the software they run.

    Learn More about Vulnerability Management