Understanding Microsoft Defender for Identity

Zaid Shaikh, Technical Support Engineer Azure/Office 365

A cloud-based security solution called Microsoft Defender for Identity (previously known as Azure Advanced Threat Protection, or Azure ATP) uses your on-premises Active Directory signals to identify, detect, and look into advanced threats, compromised identities, and malicious insider actions targeted at your company.

SecOp analysts and security experts who struggle to find sophisticated threats in hybrid settings may now:

  • Using learning-based analytics, keep an eye on user behaviour, entity behaviour, and activity
  • Protect user identities and credentials stored in Active Directory
  • Determine and look at advanced assaults and shady user behaviour all along the kill chain.
  • Give precise event details on a short timescale to facilitate quick triage

Analyze and keep track of user behaviour and activities

In order to establish a behavioural baseline for each user, Defender for Identity continuously observes and examines user behaviour and data throughout your network, including permissions and group membership. Defender for Identity then uses adaptive built-in intelligence to detect abnormalities, providing you insights into shady behaviours and occurrences and exposing the advanced attacks, compromised users, and insider threats your company is experiencing. Defender for Identity’s in-house sensors keep an eye on organisational domain controllers and offer a thorough overview of all user activity across all devices.

Identity protection for users, and lowering the attack surface

You may learn a lot about identity setups and recommended security best practises from Defender for Identity. Defender for Identity significantly reduces your organization’s attack surface through security reports and user profile analytics, making it more difficult to steal user credentials and further an assault. By showing you exactly how an attacker may travel laterally through your business to compromise key accounts, Defender for Identity’s visual Lateral Movement Paths can help you immediately grasp the dangers and enable you take preventative action. Defender for Identity security reports give you extra information to enhance your organization’s security posture and policies, as well as the ability to detect individuals and devices that authenticate using clear-text passwords.

Safeguarding the AD FS in hybrid settings

In today’s infrastructure, Active Directory Federation Services (AD FS) is crucial for authentication in hybrid settings. By identifying on-premises assaults on the AD FS and giving visibility into authentication events produced by the AD FS, Defender for Identity safeguards the AD FS in your environment.

Determine sophisticated assaults and suspicious activity along the cyber-attack kill-chain.

Attacks are often initiated against any vulnerable target, such a low-privileged user, and then swiftly advance until the attacker has access to crucial resources like sensitive accounts, domain administrators, and extremely sensitive data. Defender for Identity detects these sophisticated attacks along the whole cyber-attack kill chain at the point of origin:


Recognize malicious users and information-gathering attempts made by attackers. Attackers utilise a range of techniques to look for data on user identities, group membership, IP addresses assigned to devices, resources.

Tainted credentials

Recognize attempts at user credential compromise made by brute force attacks, failed authentications, changes to user group membership, and other techniques.

Lateral Actions

Identify efforts to cross the network to further control vulnerable users using techniques like Pass the Ticket, Pass the Hash, Overpass the Hash, and others.

Domain Authority

Highlighting attacker activity if domain domination is attained, including techniques like DC Shadow, malicious domain controller replication, and Golden Ticket activities, together with remote code execution on the domain controller.

Look at user activity and alerts

Defender for Identity offers only pertinent, critical security notifications in a straightforward, real-time organisational assault chronology, reducing general alert noise. Utilizing the wisdom of smart analytics, the Defender for Identity attack timeline view makes it simple to stay focused on what counts. Utilize Defender for Identity to swiftly look into risks and learn more about people, devices, and network resources throughout the whole enterprise. A further layer of increased security is provided by the seamless integration of Microsoft Defender for Endpoint, which increases detection of and defence against sophisticated operating system threats.

Professional Labs is the best cloud managed service provider in Saudi Arabia; for more information, please contact us.

Contact Us