Stop Threats Faster with Free Security Dashboards for Microsoft Defender

The Community tier is genuinely free — all 7 dashboards, up to 100 devices, no time limit, no credit card. The only requirements are a Microsoft Defender for Endpoint subscription and Power BI Pro or Premium. Brickclay earns revenue through the Enterprise plan ($2,999/year) — not by charging for Community or imposing surprise fees.

It is a flat annual subscription — $2,999/year regardless of how many devices you manage. Whether you have 101 devices or 10,000, the price does not change. There are no per-device fees, no usage bands, and no overage charges. Your security coverage scales freely within a single tenant as your fleet grows.

Enterprise includes everything in Community plus: unlimited devices (no cap), a dedicated account manager assigned to your organisation, priority 1-business-day support SLA, scheduled report delivery to stakeholders, white-label and branded report exports, the Executive Summary Pack, single-tenant dedicated deployment, custom data source integrations, and co-branded deployment. Contact subscriptions@brickclay.com to get started.

No. Defender Analytics connects directly to your Microsoft Defender for Endpoint tenant via an Azure App Registration using read-only API permissions. All data stays within your Microsoft Azure environment — it flows from Microsoft’s APIs directly into your Power BI workspace. Brickclay does not collect, store, or access your security data at any point.

Typically under 15 minutes for someone with Azure Global Administrator access. The steps are: install from Marketplace, create an Azure App Registration, grant the 11 read-only API permissions, and enter your credentials in Power BI parameters. Our setup guide walks through every step with screenshots.

Creating the Azure App Registration requires a Global Administrator in your Azure Active Directory — but this is a one-time, 8-minute step. Once done, any Power BI workspace admin can install and configure the dashboards. We recommend forwarding our Setup Guide to your IT or Azure AD admin with the specific steps highlighted.

Power BI Pro, Power BI Premium Per User (PPU), or a Power BI Premium tenant license. Microsoft offers free 60-day trials of Power BI Pro. If you’re already using Power BI for other reporting, you likely have the required license already.

Defender Analytics displays as-of-date, live-connected security intelligence — each dashboard reflects your environment as of the most recent refresh. Because data flows directly from Microsoft’s APIs to your Power BI workspace with no intermediate storage, dashboards always show an authoritative current-state snapshot. For security operations, this is a feature: every refresh gives your SOC team and CISO accurate real-time data, not a stale export.

You control the refresh schedule — up to 8 times per day with Power BI Pro. Each refresh pulls the latest data directly from your Microsoft Defender for Endpoint tenant and updates all 7 dashboards simultaneously. The Incidents & Alerts and Device Health boards benefit most from frequent syncs. Enterprise customers can configure advanced refresh scheduling beyond the standard 8×/day limit.

Yes — all dashboards are built on standard Power BI and are fully editable. Your team can add visualizations, filter by device groups or business units, create custom summary views, and combine Defender Analytics data with other Power BI sources. Enterprise customers additionally get white-label branded report exports and the Executive Summary Pack.

Email our support team at subscriptions@brickclay.com. Community customers receive a response within 2 business days; Enterprise customers within 1 business day from their dedicated account manager. We also have a detailed Setup Guide covering every step of the Azure App Registration and Power BI configuration process.

Protection Insights is your daily security command center and executive briefing board in one. It consolidates the signals from all other dashboards — incident severity distribution, top CVEs, device exposure score, and Secure Score gaps — into one overview that tells you immediately whether your security posture improved or worsened since the last refresh. Most teams open it at the start of each day and before any leadership update. When something flags here, you drill into the relevant specialist dashboard (Incidents, Devices, Vulnerabilities, etc.) to investigate.

No — it gives you the picture, not the depth. When Protection Insights flags a cluster of high-severity incidents or a spike in exposed devices, you move to Incidents & Alerts or Device Health to investigate. Think of it as the command center and the other six as the specialist workrooms behind it. Its value is speed: one glance confirms whether your environment needs immediate attention or is operating normally.

The Defender portal shows a list. The Incidents & Alerts dashboard shows a pattern. You get severity distribution over time, device and threat correlation mapped visually, MITRE ATT&CK tactic breakdowns, and trend charts that let you spot whether your incident rate is climbing or falling week over week — context the native portal’s list view doesn’t give you. For SOC leads and security managers, this pattern view is what enables proactive decisions rather than reactive triage.

Yes — all dashboards are built on Power BI, so you can slice by any dimension in the data model: severity level, alert status, device group, assigned analyst, or date range. The Incidents & Alerts dashboard supports cross-filtering, meaning selecting a specific tactic on the MITRE ATT&CK chart automatically filters the device list and timeline to show only the affected assets and time windows. Enterprise customers can layer in custom filters tied to business unit or department structure.

Yes. The Device Health dashboard surfaces unmanaged and potentially unauthorised devices that appear in your Defender for Endpoint telemetry, categorised separately from your corporate-managed fleet. This gives your IT and security teams a clear shadow IT signal — devices connecting to your network that haven’t been through onboarding — without requiring a separate endpoint discovery tool. Each unmanaged device is shown with its risk exposure level and last seen date.

Each device is scored using Microsoft Defender for Endpoint’s own exposure and threat intelligence signals — the dashboard surfaces and organises data Defender already generates, rather than inventing its own scoring model. High-risk devices appear with their associated open vulnerabilities and patch gaps linked, so you can move from “this device is high-risk” to “here’s what to fix” in one click. OS compliance, sensor version, and onboarding status are surfaced alongside the risk ranking to give a complete endpoint health picture.

Yes. Any software in your environment that has reached its vendor End of Support date is automatically tagged in the Software & Compliance dashboard — no manual list maintenance required. You’ll see which devices it’s installed on, whether known public exploits exist for that version, and the vendor’s recommended remediation action. For organisations running legacy software, this view alone often surfaces risk that was previously invisible.

For frameworks like ISO 27001, Cyber Essentials, SOC 2, or cyber insurance audits, having a live, exportable record of your software estate — including unpatched versions, EOS software, and public exploit status — reduces audit preparation time significantly. The dashboard exports directly from Power BI, so you can generate a current-state snapshot for an auditor on demand. Enterprise customers additionally get white-label branded exports and the Executive Summary Pack, which packages this data into a board-ready format.

The dashboard classifies every CVE in your environment as exploitable or non-exploitable based on Defender for Endpoint’s threat intelligence — not just CVSS score. Within exploitable CVEs, you see severity, number of affected devices, and how long the CVE has been present in the environment. The combination of actively exploited + high severity + many devices affected + long dwell time naturally surfaces itself as the top of your remediation queue. This prevents the common mistake of patching high-CVSS theoretical risks while ignoring lower-scored CVEs that are actively being weaponised.

Yes — the dashboard tracks days since first detection and days since last detection for each CVE. Across successive refreshes, this lets you observe whether your remediation velocity is improving, and identify CVEs with unusually long dwell times that may have been overlooked. Enterprise customers use this data to build mean-time-to-remediate evidence for cyber insurance requirements and to demonstrate programme maturity in audit and board reporting contexts.

Native Defender reporting tells you updates are missing. The Patch Gaps dashboard tells you which ones matter most and why. Missing updates are ranked by severity, by exploitability (whether the vulnerability has a known active exploit in the wild), by vendor remediation recommendation, and by device-level impact. This means your team can prioritise the patches that carry the highest actual risk to your organisation — not just the most recently released ones. The vendor-backed recommendation column removes the guesswork from prioritisation.

Yes — every patch gap in the dashboard has device-level drill-through. Click on a missing update and you see the complete list of affected devices, their individual exposure levels, and the vendor’s remediation recommendation for that specific gap. This makes it practical to assign remediation to the right team members — your patch operations lead, IT admin, or specific device owner — with the right context attached, rather than sending a generic “patch these” alert.

The dashboard is designed for exactly this. Instead of reporting a score number and hoping the board understands it, you can show them the prioritised list of improvement actions, the implementation cost of each (Low / Moderate / High), the expected user impact, and your current rank and tier. This frames security investment as a business decision — “these three actions move our score by X points at low cost and minimal disruption” — rather than a technical metric that the board has no reference point to evaluate. Export directly from Power BI for a clean, shareable briefing document.

Yes — each control action shows its maximum score contribution alongside its implementation cost category and user impact assessment. This lets your security team model which actions deliver the highest score improvement for the lowest disruption or cost, and present that prioritised roadmap to leadership with confidence. It also enables you to sequence the roadmap strategically: quick wins first to demonstrate momentum, then higher-cost controls aligned to budget cycles. Enterprise customers use this view to build quarterly security improvement plans tied directly to their Secure Score trajectory.