Browse all topics
All guidesGlossary
Microsoft Defender (Security)

Microsoft Defender for Identity explained

Defender for Identity detects identity-based attacks against on-prem Active Directory and Entra ID. Here's how it works.

Microsoft Defender for Identity (MDI) is the part of the Defender stack that watches for identity-based attacks — credential theft, lateral movement, golden ticket attacks, DC reconnaissance, and the like. It's purpose-built for hybrid identity, with sensors on domain controllers and (more recently) on Entra Connect servers and Entra ID itself.

What MDI detects

A non-exhaustive list of the techniques MDI watches for:

  • Reconnaissance — account enumeration, SMB session enumeration, network mapping.
  • Compromised credentials — brute force, password spray, suspicious sign-ins.
  • Lateral movement — pass-the-hash, pass-the-ticket, overpass-the-hash, NTLM relay.
  • Domain dominance — golden ticket, silver ticket, DCSync, DCShadow.
  • Exfiltration — unusual SMB activity, large file copies.
  • Entra ID-side attacks — risky sign-ins, anomalous OAuth grants, password spray against cloud-only accounts.

Detections fire as alerts that flow into Defender XDR alongside endpoint, email, and cloud-app signals.

How sensors work

MDI deploys sensors on:

  • Domain controllers — capture network traffic, ETW events, and AD events.
  • AD FS servers (if you still run federation).
  • Entra Connect servers.
  • Entra ID — cloud-side identity protection signals are also surfaced through MDI in the unified portal.

Sensors run as a small Windows service with minimal performance impact. Best practice is to deploy a sensor to every DC, not just a sample, so blind spots don't accumulate.

Integration with the rest of Defender

MDI's value compounds when its signals correlate with others in Defender XDR:

  • A phishing click in Defender for Office 365 →
  • Credential theft on an endpoint in Defender for Endpoint →
  • A lateral movement attempt in MDI →
  • A suspicious SaaS sign-in in Defender for Cloud Apps.

XDR groups these into a single incident with the full attack timeline, automating the manual correlation that's traditionally taken days.

Identity Threat Detection and Response (ITDR)

MDI is Microsoft's offering in the ITDR category — identity threat detection and response. As identity is increasingly the attack surface of choice (most modern breaches don't need a "real" malware payload), ITDR is one of the highest-leverage security investments a Microsoft 365 customer can make.

Licensing

MDI is included in Microsoft 365 E5, Microsoft 365 E5 Security, and Enterprise Mobility + Security E5. It's also sold standalone.

Rollout

  • Inventory all DCs (including disaster-recovery sites).
  • Deploy sensors broadly — coverage gaps are blind spots.
  • Tune directory service account audit policies (MDI provides scripts).
  • Validate detections with simulated attacks using tools like AtomicRedTeam or BloodHound.
  • Onboard SOC analysts to the Defender XDR portal and advanced hunting.

For organisations with on-premises AD, MDI is the single most useful detection product they can deploy.