What is Microsoft Defender for Identity?
Microsoft Defender for Identity is a cloud-based security solution that helps secure your identity monitoring across your organization.
Defender for Identity is fully integrated with Microsoft 365 Defender, and leverages signals from both on-premises Active Directory and cloud identities to help you better identify, detect, and investigate advanced threats directed at your organization.
Deploy Defender for Identity to help your SecOp teams deliver a modern identity threat detection (ITDR) solution across hybrid environments, including:
- Prevent breaches, using proactive identity security posture assessments
- Detect threats, using real-time analytics and data intelligence
- Investigate suspicious activities, using clear, actionable incident information
- Respond to attacks, using automatic response to compromised identities
Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP).
Customers using the classic Defender for Identity portal are now automatically redirected to Microsoft 365 Defender, with no option to revert back to the classic portal.
For more information, see our blog post and Microsoft Defender for Identity in Microsoft 365 Defender.
Protect user identities and reduce the attack surface
Defender for Identity provides you with invaluable insights on identity configurations and suggested security best-practices. Through security reports and user profile analytics, Defender for Identity helps dramatically reduce your organizational attack surface, making it harder to compromise user credentials, and advance an attack.
Proactively assess your identity posture
Defender for Identity provides you with a clear view of your identity security posture, helping you to identify and resolve security issues before they can be exploited by attackers.
Defender for Identity's Lateral Movement Paths help you quickly understand exactly how an attacker can move laterally inside your organization. Lateral movement paths can compromise sensitive accounts, and Defender for Identity helps you prevent those risks in advance.
Detect threats across modern identity environments
Modern identity environments often span both on-premises and in the cloud. Defender for Identity uses data from across your environment, including domain controllers, Active Directory Federation Services (AD FS), and Active Directory Certificate services (AD CS), to provide you with a complete view of your identity environment.
Defender for Identity sensors monitor domain controller traffic by default. For AD FS / AD CS servers, make sure to install the relevant sensor type for complete identity monitoring.
For more information, see:
- Deploy Microsoft Defender for Identity with Microsoft 365 Defender
- Microsoft Defender for Identity on Active Directory Federation Services (AD FS)
Identify suspicious activities across the cyber-attack kill-chain
Typically, attacks are launched against any accessible entity, such as a low-privileged user. Attackers then quickly move laterally until they gain access to valuable assets, such as sensitive accounts, domain administrators, and highly sensitive data.
Defender for Identity identifies these advanced threats at the source throughout the entire cyber-attack kill chain:
|Threat||In Defender for Identity ...|
|Reconnaissance||Identify rogue users and attackers' attempts to gain information.
Attackers search for information about user names, users' group membership, IP addresses assigned to devices, resources, and more, using various methods.
|Compromised credentials||Identify attempts to compromise user credentials using brute force attacks, failed authentications, user group membership changes, and other methods.|
|Lateral movements||Detect attempts to move laterally inside the network to gain further control of sensitive users, utilizing methods such as Pass the Ticket, Pass the Hash, Overpass the Hash and more.|
|Domain dominance||View highlighted attacker behavior if domain dominance is achieved. For example, attackers might run code remotely on the domain controller, or use methods like DC Shadow, malicious domain controller replication, Golden Ticket activities, and more.|
For more information, see Security alerts in Microsoft Defender for Identity.
Investigate alerts and user activities
Defender for Identity is designed to reduce general alert noise, providing you with a prioritized list of relevant, important security alerts in a simple, real-time organizational attack timeline.
Seamless integration with Microsoft 365 Defender provides another layer of enhanced security by correlating data from other domains, for greater visibility and accuracy across users, devices, and network resources.
Use the following table to find more resources about Defender for Identity:
|Learn more||- Deploy Microsoft Defender for Identity
- Licensing and privacy FAQs
- Defender for Identity frequently asked questions
- Working with security alerts
- Defender for Identity architecture
- Zero Trust with Defender for Identity
|Join communities||- Follow Defender for Identity on the Microsoft TechCommunity
- Join the Defender for Identity Yammer community
- Read the Defender for Identity blog
|Roadmap||See the upcoming roadmap for Defender for Identity|
|Product page||Visit the Defender for Identity product page|
|Free trial||Start a free trial|