Microsoft Defender for Identity

Microsoft Defender for Identity: Complete Guide for SC-900 Exam

Microsoft Defender for Identity is a critical topic within the SC-900 exam, falling under the domain of Capabilities of Microsoft Security Solutions. Understanding this cloud-based security solution is essential for passing the exam and for real-world security knowledge.

Why Is Microsoft Defender for Identity Important?

In today's threat landscape, identity is the new security perimeter. Attackers frequently target on-premises Active Directory environments to steal credentials, escalate privileges, and move laterally across networks. Microsoft Defender for Identity (formerly Azure Advanced Threat Protection or Azure ATP) addresses this critical gap by monitoring and analyzing user activities and information across your on-premises Active Directory infrastructure. Without it, organizations are blind to sophisticated identity-based attacks such as pass-the-hash, pass-the-ticket, and golden ticket attacks.

It is important because:
- Identity is the #1 attack vector: Over 80% of breaches involve compromised credentials.
- On-premises AD remains a high-value target: Most enterprises still rely on Active Directory, making it a prime target for attackers.
- It bridges on-premises and cloud security: It integrates with Microsoft 365 Defender to provide a unified security posture across hybrid environments.
- It enables proactive threat hunting: Security teams can detect threats before they cause damage.

What Is Microsoft Defender for Identity?

Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Key characteristics include:
- It is a component of the Microsoft 365 Defender suite (now part of Microsoft Defender XDR).
- It monitors on-premises Active Directory Domain Services (AD DS) traffic and signals.
- It uses sensors installed on domain controllers or standalone sensors to capture network traffic.
- It provides a cloud-based portal for analysis, alerting, and investigation.
- It does NOT require agents on endpoints — it monitors at the domain controller level.

Core Capabilities:
- Monitor and profile user behavior and activities: Creates behavioral baselines for each user and identifies deviations.
- Protect user identities and reduce attack surface: Provides security assessments and recommendations to harden your Active Directory environment.
- Identify suspicious activities and advanced attacks: Detects known attack techniques across the entire cyber-attack kill chain.
- Investigate alerts and user activities: Provides clear, actionable incident information with timelines of suspicious activities.
- Integration with Microsoft Defender XDR: Correlates signals with Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Cloud Apps.

How Does Microsoft Defender for Identity Work?

1. Sensor Deployment:
Defender for Identity uses sensors that are installed directly on your domain controllers (or as standalone sensors on dedicated servers). These sensors capture and parse network traffic to and from the domain controllers, including authentication requests (Kerberos, NTLM, LDAP), directory service queries, and other AD-related communications.

2. Signal Collection:
The sensors collect signals from Active Directory traffic, Windows Event Logs, and ETW (Event Tracing for Windows) data. This raw data includes authentication events, privilege changes, group membership modifications, and more.

3. Cloud-Based Analysis:
The collected signals are sent to the Defender for Identity cloud service, where advanced analytics, machine learning, and behavioral analysis are applied. The service builds a behavioral profile for each entity (users, devices, resources) and uses this baseline to detect anomalies.

4. Threat Detection:
Defender for Identity detects threats across multiple phases of the attack kill chain:
- Reconnaissance: Detects attempts to gather information about users, IP addresses, and devices (e.g., LDAP enumeration, DNS reconnaissance, account enumeration).
- Compromised credentials: Identifies brute force attacks, failed authentications, and credential exposure.
- Lateral movement: Detects pass-the-hash, pass-the-ticket, overpass-the-hash, and lateral movement path exploitation.
- Domain dominance: Identifies golden ticket usage, DCSync attacks, remote code execution on domain controllers, and skeleton key attacks.
- Exfiltration: Monitors for suspicious data transfers and activities.

5. Identity Security Posture Assessments:
Defender for Identity provides security posture assessments through Microsoft Secure Score. These assessments identify misconfigurations and vulnerabilities in your Active Directory, such as:
- Entities exposing credentials in clear text
- Dormant accounts in sensitive groups
- Unsecure account attributes
- Weak cipher usage
- Unsecure SID History attributes
- Unmonitored domain controllers

6. Alerting and Investigation:
When suspicious activity is detected, alerts are generated in the Microsoft 365 Defender portal. Each alert includes:
- A description of the suspicious activity
- The affected entities (users, computers)
- A timeline of events
- Recommended remediation steps
- Severity classification (low, medium, high)

7. Lateral Movement Paths:
One of the most powerful features is the Lateral Movement Path (LMP) analysis. Defender for Identity maps out how an attacker could move from a compromised non-sensitive account to reach sensitive accounts or domain admin credentials. This visual map helps security teams proactively close these paths.

8. Integration with Microsoft Defender XDR:
Defender for Identity integrates seamlessly with the broader Microsoft Defender XDR ecosystem. Alerts and signals from identity threats are correlated with endpoint, email, and cloud app signals to create unified incidents that provide a complete attack story.

Key Terminology to Know:
- Sensor: The component installed on domain controllers to capture AD signals.
- Workspace: The Defender for Identity instance configured for your organization.
- Entity: A user, computer, or resource being monitored.
- Behavioral baseline: The normal activity pattern established for each entity.
- Lateral Movement Path (LMP): A mapped route showing how attackers could escalate privileges.
- Honeytoken accounts: Decoy accounts configured in Defender for Identity to detect reconnaissance and credential theft attempts.

What Defender for Identity Does NOT Do:
- It does not protect endpoints directly (that is Microsoft Defender for Endpoint).
- It does not protect email (that is Microsoft Defender for Office 365).
- It does not protect cloud applications directly (that is Microsoft Defender for Cloud Apps).
- It does not replace Azure AD Identity Protection, which focuses on cloud-based identity risks (sign-in risk, user risk).
- It focuses on on-premises Active Directory, not Azure Active Directory (now Microsoft Entra ID).

Defender for Identity vs. Microsoft Entra ID Protection:
This is a commonly tested distinction:
- Microsoft Defender for Identity: Monitors on-premises Active Directory for identity-based threats.
- Microsoft Entra ID Protection (Azure AD Identity Protection): Monitors cloud-based identity risks in Microsoft Entra ID (Azure AD), such as risky sign-ins, leaked credentials, and impossible travel.


Exam Tips: Answering Questions on Microsoft Defender for Identity

Tip 1: Remember the Primary Focus
Whenever a question mentions protecting on-premises Active Directory, detecting lateral movement, or identifying compromised identities in AD DS, the answer is almost always Microsoft Defender for Identity. If the question mentions cloud identities, sign-in risk, or user risk policies, think Microsoft Entra ID Protection.

Tip 2: Know the Attack Types
The exam may describe specific attack scenarios. Remember that Defender for Identity detects: pass-the-hash, pass-the-ticket, golden ticket, DCSync, brute force against AD, reconnaissance, and lateral movement. If a question describes any of these, Defender for Identity is the answer.

Tip 3: Understand the Sensor Architecture
Know that sensors are installed on domain controllers. The exam might ask where the sensor is deployed. It is NOT installed on endpoints, NOT on Azure AD, and NOT on a cloud service — it is on the domain controller itself.

Tip 4: Differentiate from Other Defender Products
The SC-900 exam frequently tests your ability to distinguish between:
- Defender for Identity → On-premises AD identity threats
- Defender for Endpoint → Endpoint/device protection
- Defender for Office 365 → Email and collaboration tool protection
- Defender for Cloud Apps → Cloud application security (CASB)
- Microsoft Defender for Cloud → Cloud workload protection (Azure, AWS, GCP)

If the question asks about protecting identities in an on-premises environment, always choose Defender for Identity.

Tip 5: Know the Integration Story
Defender for Identity is part of Microsoft Defender XDR (formerly Microsoft 365 Defender). The exam may ask which portal is used — the answer is the Microsoft 365 Defender portal (security.microsoft.com).

Tip 6: Security Posture Assessments
Remember that Defender for Identity contributes to Microsoft Secure Score by providing identity security posture assessments. If a question asks about identifying AD misconfigurations or improving identity security posture, Defender for Identity is relevant.

Tip 7: Honeytoken Accounts
If the exam mentions decoy accounts used to detect attacker activity in Active Directory, the answer relates to honeytoken accounts in Defender for Identity.

Tip 8: Watch for Keyword Triggers
Key phrases that point to Defender for Identity:
- On-premises Active Directory
- Domain controller
- Lateral movement
- Pass-the-hash / pass-the-ticket
- Compromised identities (on-premises)
- Reconnaissance against AD
- User behavior analytics (on-premises)
- Identity-based attacks
- Golden ticket / DCSync

Tip 9: Understand It Is Cloud-Based
Despite monitoring on-premises AD, Defender for Identity itself is a cloud-based service. The sensors are on-premises, but the analysis and portal are in the cloud. This is a subtle but important distinction the exam may test.

Tip 10: Process of Elimination
If you are unsure, eliminate options that clearly belong to other products. If the scenario involves email phishing, eliminate Defender for Identity. If it involves endpoint malware, eliminate it. If it involves cloud app shadow IT, eliminate it. What remains for on-premises identity threats is Defender for Identity.

Summary for Quick Review:
- What: Cloud-based security solution for on-premises Active Directory
- Where sensors are deployed: On domain controllers
- What it detects: Lateral movement, credential theft, reconnaissance, domain dominance, compromised identities
- Part of: Microsoft Defender XDR (Microsoft 365 Defender)
- Portal: Microsoft 365 Defender portal (security.microsoft.com)
- Key differentiator: On-premises AD focus (vs. Microsoft Entra ID Protection for cloud identities)
- Contributes to: Microsoft Secure Score with identity security posture assessments