@Darragh Martin Thank you for reaching out to us.
Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory ( whether it is on premise or on azure ) signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
It analyzes user activities and information across your network, such as permissions and group membership, creating a behavioral baseline for each user. Defender for Identity then identifies anomalies with adaptive built-in intelligence, giving you insights into suspicious activities and events, revealing the advanced threats, compromised users, and insider threats facing your organization.
Basically it monitors your domain controllers by capturing and parsing network traffic and leveraging Windows events directly from your domain controllers, then analyzes the data for attacks and threats. Utilizing profiling, deterministic detection, machine learning, and behavioral algorithms Defender for Identity learns about your network, enables detection of anomalies, and warns you of suspicious activities.
Refer to this article https://learn.microsoft.com/en-us/defender-for-identity/what-is explains the capabilities Defender for Identity provides to the organization, even though you have your domain controllers on Azure, its necessary to have this security solution which helps reduce attack surface, detect in real time, investigate threats and respond to threats.
https://learn.microsoft.com/en-us/defender-for-identity/alerts-overview - explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat.
Microsoft Defender for Identity architecture - https://learn.microsoft.com/en-us/defender-for-identity/architecture
Reference: https://www.youtube.com/watch?v=hhS8VdGnfOU - Understanding and Getting Started with ZERO TRUST
Let me know if you have any further questions, please feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.