What is Microsoft Defender for Identity?

Microsoft Defender for Identity is a cloud-based security solution that helps secure your identity monitoring across your organization.

Defender for Identity is fully integrated with Microsoft Defender XDR, and leverages signals from both on-premises Active Directory and cloud identities to help you better identify, detect, and investigate advanced threats directed at your organization.

Deploy Defender for Identity to help your SecOp teams deliver a modern identity threat detection (ITDR) solution across hybrid environments, including:

  • Prevent breaches, using proactive identity security posture assessments
  • Detect threats, using real-time analytics and data intelligence
  • Investigate suspicious activities, using clear, actionable incident information
  • Respond to attacks, using automatic response to compromised identities

Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP).


Customers using the classic Defender for Identity portal are now automatically redirected to Microsoft Defender XDR, with no option to revert back to the classic portal.

For more information, see our blog post and Microsoft Defender for Identity in Microsoft Defender XDR.

Protect user identities and reduce the attack surface

Defender for Identity provides you with invaluable insights on identity configurations and suggested security best-practices. Through security reports and user profile analytics, Defender for Identity helps dramatically reduce your organizational attack surface, making it harder to compromise user credentials, and advance an attack.

Proactively assess your identity posture

Defender for Identity provides you with a clear view of your identity security posture, helping you to identify and resolve security issues before they can be exploited by attackers.

For example:

  • Defender for Identity's Lateral Movement Paths help you quickly understand exactly how an attacker can move laterally inside your organization. Lateral movement paths can compromise sensitive accounts, and Defender for Identity helps you prevent those risks in advance.

  • Defender for Identity security assessments, available from Microsoft Secure Score, provide extra insights to improve your organizational security posture and policies.

Detect threats across modern identity environments

Modern identity environments often span both on-premises and in the cloud. Defender for Identity uses data from across your environment, including domain controllers, Active Directory Federation Services (AD FS), and Active Directory Certificate services (AD CS), to provide you with a complete view of your identity environment.

Defender for Identity sensors monitor domain controller traffic by default. For AD FS / AD CS servers, make sure to install the relevant sensor type for complete identity monitoring.

For more information, see:

Identify suspicious activities across the cyber-attack kill-chain

Typically, attacks are launched against any accessible entity, such as a low-privileged user. Attackers then quickly move laterally until they gain access to valuable assets, such as sensitive accounts, domain administrators, and highly sensitive data.

Defender for Identity identifies these advanced threats at the source throughout the entire cyber-attack kill chain:

Threat In Defender for Identity ...
Reconnaissance Identify rogue users and attackers' attempts to gain information.

Attackers search for information about user names, users' group membership, IP addresses assigned to devices, resources, and more, using various methods.
Compromised credentials Identify attempts to compromise user credentials using brute force attacks, failed authentications, user group membership changes, and other methods.
Lateral movements Detect attempts to move laterally inside the network to gain further control of sensitive users, utilizing methods such as Pass the Ticket, Pass the Hash, Overpass the Hash and more.
Domain dominance View highlighted attacker behavior if domain dominance is achieved. For example, attackers might run code remotely on the domain controller, or use methods like DC Shadow, malicious domain controller replication, Golden Ticket activities, and more.

For more information, see Security alerts in Microsoft Defender for Identity.

Investigate alerts and user activities

Defender for Identity is designed to reduce general alert noise, providing you with a prioritized list of relevant, important security alerts in a simple, real-time organizational attack timeline.

Seamless integration with Microsoft Defender XDR provides another layer of enhanced security by correlating data from other domains, for greater visibility and accuracy across users, devices, and network resources.

For more information, see Investigate assets and Investigate security alerts.

Use the following table to find more resources about Defender for Identity:

Resource type References
Learn more - Deploy Microsoft Defender for Identity
- Licensing and privacy FAQs
- Defender for Identity frequently asked questions
- Working with security alerts
- Defender for Identity architecture
- Zero Trust with Defender for Identity
Join communities - Follow Defender for Identity on the Microsoft TechCommunity
- Join the Defender for Identity Yammer community
- Read the Defender for Identity blog
Roadmap See the upcoming roadmap for Defender for Identity
Product page Visit the Defender for Identity product page
Free trial Start a free trial