Overview of Microsoft Defender for Identity
Overview of Microsoft Defender for Identity

This course introduces you to Microsoft Defender for Identity and is designed to provide you with a good understanding of what Microsoft Defender for Identity is, what it offers, the components that comprise it, and the requirements you must meet to use it.

Learning Objectives

  • Get a basic understanding of Microsoft Defender for Identity
  • Learn about the architecture of Microsoft Defender for Identity as well as its components
  • Understand the requirements for planning the deployment of Defender for Identity

Intended Audience

This quick-hitting course is intended for those who wish to learn what Microsoft Defender for Identity is and what it does.


To get the most out of this course, you should have a general understanding of Azure, particularly Azure Active Directory.


Hello and welcome to Microsoft defender for identity.

Microsoft defender for identity was originally called Azure advanced threat protection. It’s a security solution that takes advantage of on-prem active directory to identify, detect, and investigate things like threats and compromised identities. It also helps identify malicious insider attacks.

Microsoft Defender for Identity uses learning-based analytics to help you monitor user behavior and activities AND it allows you to protect Active Directory user identities and credentials.

You can also use Microsoft Defender for Identity to identify and investigate suspicious user activities and attacks throughout the kill chain AND to provide incident information that assists in triage.

Microsoft Defender for Identity looks at things like permissions and group membership, and then creates a behavioral baseline for each user in the organization. Using this information, and adaptive intelligence, Defender for Identity can then identify behavior anomalies, which in turn, provides insight into suspicious activities and events. This information then reveals the threats and compromised users that need to be addressed. This is all accomplished through proprietary Defender for Identity sensors that monitor the on-prem AD domain controllers.

As I previously mentioned, Defender for Identity allows you to protect your users’ identities as well. It does this by providing insights into identity configurations and security best-practices. The security reports in Defender for Identity, along with the user profile analytics that it offers, help reduce the attack surface in your organization, which, in turn, makes it harder for the bad guys to steal user credentials.

A feature in Defender for Identity, called Visual Lateral Movement Paths, can be used to understand how attackers can move laterally within the organization to compromise sensitive accounts. This feature helps prevent these types of threats. 

I should also mention that Defender for Identity also offers security reports that can be used to identify users and even devices that are using clear-text passwords, which, of course, is a big no-no. You can use this information to improve your security posture.

Defender for Identity even helps protects ADFS in hybrid environments by detecting on-prem attacks on the ADFS itself.

Because malicious attacks usually target low-privileged users, before using those accounts to move laterally to gain access to more sensitive accounts, and highly sensitive data, Defender for Identity can be used to identify these types of threats at the source, throughout the entire attack kill chain.

For example, Defender for Identity performs reconnaissance to identify rogue users and attempts to gain illegitimate access to information. It can also identify attempts to compromise user credentials, through things like brute force attacks, failed authentications, and other methods. Defender for Identity’s ability to detect lateral movements inside the network identifies situations where someone is using methods like Pass the Ticket, Pass the Hash, and Overpass the Hash to try and gain control of sensitive user accounts. Defender for Identity can even identify if Domain Dominance has been achieved by an attacker.

Ultimately, Defender for Identity is designed to provide relevant security alerts in a real-time organizational attack timeline, while filtering out unwanted “alert noise”, through the use of intelligence and smart analytics. It can be used to identity and investigate threats, and to gain insight into users, devices, and network resources.  

I should also mention that Defender for Identity seamlessly integrates with Microsoft Defender for Endpoint. This integration provides a layer of device security through detection of, and protection against, threats to the operating system.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.