Microsoft Defender for Identity architecture

By recording and parsing network traffic and using Windows events that are sent directly from your domain controllers, Microsoft Defender for Identity keeps an eye on your domain controllers and scans the data it collects for threats and attacks. Defender for Identity learns about your network, allows the identification of abnormalities, and alerts you to suspicious activity using behavioral algorithms, profiling, deterministic detection, machine learning, and these other techniques.

Protector of Identity Architecture:

Defender for Identity architecture topology diagram

The Microsoft 365 Defender portal, Defender for Identity sensor, and Defender for Identity cloud service are the three primary components that are covered in detail in this part, along with the flow of Defender for Identity’s network and event recording.

The Defender for Identity sensor obtains the event logs it needs directly from the servers by being installed on your domain controller or AD FS servers. Defender for Identity delivers just the parsed data to the Defender for Identity cloud service after the sensor has parsed the logs and network traffic (only a percentage of the logs are sent).

Components of Defender for Identity

The following elements make up Defender for Identity:

  • Microsoft 365 Defender portal You may monitor, manage, and look into threats in your network environment using the Microsoft 365 Defender site, which also builds your Defender for Identity instance and displays the data collected from Defender for Identity sensors.
  • Defender for Identity sensor

Defender for Identity sensors can be directly installed on the following servers:

Domain controllers: Without the requirement for a dedicated server or port mirroring setup, the sensor immediately monitors domain controller traffic.

AD FS: The sensor keeps an eye on authentication events and network traffic directly.

Defender for Identity cloud service:

Defender for Identity cloud service runs on Azure infrastructure and is currently deployed in the US, Europe, and Asia. Defender for Identity cloud service is connected to Microsoft’s intelligent security graph.

Portal for Microsoft 365 Defender

The Microsoft 365 Defender gateway may be used for

  • Make an instance of Defender for Identity.
  • The incorporation of additional Microsoft security services
  • control the sensor configuration settings for Defender for Identity
  • View the information provided by Defender for Identity sensors
  • using the attack kill chain paradigm, monitor suspected attacks and suspicious activity.
  • The portal may optionally be set up to deliver emails and events whenever security alarms or health problems are discovered.

Identity protection defense sensor

The Defender for Identity sensor has the following core functionality:

  • capture and examine network communications for domain controllers (local traffic of the domain controller)
  • Direct access to Windows Events from domain controllers
  • Get RADIUS accounting data from your VPN service provider.
  • Obtain user and computer information from the Active Directory domain
  • Carry out network entity resolution (users, groups, and computers)
  • Send pertinent information to the cloud service Defender for Identity

Characteristics of the Defender for Identity sensor

Defender for Identity sensor reads events locally, thus no extra hardware or settings are needed to buy and keep up with. The Event Tracing for Windows (ETW) feature, which offers the log data for numerous detections, is likewise supported by the Defender for Identity sensor. Suspected DC Shadow attacks allegedly made use of domain controller replication requests and domain controller promotion are among the ETW-based detections.

Process of domain synchronization

The domain synchronizer process is in charge of proactive synchronization of all entities from a certain Active Directory domain (similar to the mechanism used by the domain controllers themselves for replication). The domain synchronizer sensor is automatically selected at random from among all of your qualified sensors.

If the domain synchronizer is offline for more than 30 minutes, another sensor is automatically chosen instead.

Resource constraints

The Defender for Identity sensor comes with a monitoring feature that assesses the domain controller’s available compute and memory capacity. The Defender for Identity sensor process’s CPU and memory use quota are dynamically updated by the monitoring process, which runs every 10 seconds. The domain controller is always guaranteed to have at least 15% of its compute and memory resources free, thanks to the monitoring process.

The monitoring process continuously releases resources to ensure that the domain controller’s basic functioning is never compromised, regardless of what happens on it.

Only a portion of the traffic is observed if the monitoring procedure leads the Defender for Identity sensor to run out of resources, and the health alert “Dropped port mirrored network traffic” is displayed on the sensor page.

Windows Events

Defender for Identity must examine the logs of the Windows Events described above in order to improve its detection of NTLM authentications, changes to sensitive groups, and the launch of suspicious services. Defender for Identity sensors with the proper advanced audit policy settings automatically read these events. Examine your NTLM audit settings to ensure that Windows Event 8004 is audited as required by the service.


Professional Labs is the Best Cloud Managed Services Provider GCC, for more details contact
Contact Us | Professional labs (