Microsoft Defender for Identity in Microsoft 365 Defender
Want to experience Microsoft 365 Defender? Learn more about how you can evaluate and pilot Microsoft 365 Defender.
Microsoft Defender for Identity is now part of Microsoft 365 Defender. The Microsoft 365 Defender portal allows security admins to perform their security tasks in one location. This will simplify workflows, and add the functionality of the other Microsoft 365 Defender services. Microsoft 365 Defender will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure.
Microsoft Defender for Identity contributes identity focused information into the incidents and alerts that Microsoft 365 Defender presents. This information is key to providing context and correlating alerts from the other products within Microsoft 365 Defender.
The table below lists the changes in navigation between Microsoft Defender for Identity and Microsoft 365 Defender.
|Defender for Identity||Microsoft 365 Defender|
|Timeline||Microsoft 365 Defender Alerts/Incidents queue|
|Reports||Lateral movement path and passwords exposed in cleartext reports are covered by the Identity security posture assessments (ISPM)
Health issues are available in Settings -> Identities -> Health issues
Summary of alerts can be found by exporting the alerts queue or using Advanced Hunting (30 days of data)
Modification to sensitive groups can be found by using Advanced hunting
Customized reports can be created in Microsoft 365 Defender portal using Advanced hunting
|User page||Microsoft 365 Defender User page|
|Device page||Microsoft 365 Defender Device page|
|Group page||Microsoft 365 Defender groups side pane|
|Alert page||Microsoft 365 Defender Alert page|
|Search||Microsoft 365 Defender Search|
|Health center||Settings -> Identities -> Sensors|
|Entity Activities||Advanced hunting
|Settings||Settings -> Identities|
|Users and accounts||Assets -> Identities|
|Identity security posture||Microsoft Defender for Identity's security posture assessments|
|Onboarding a new Workspace||Settings -> Identities (automatically)|
Defender for Identity settings
To access the Microsoft Defender for Identity configuration settings, in Microsoft 365 Defender, go to Settings and then Identities.
Defender for Identity security posture
All the identity security posture management assessments that were previously accessible in Defender for Cloud Apps are now available in Microsoft Secure Score, which can be found at https://security.microsoft.com/securescore in the Microsoft 365 Defender portal. For more information, see Microsoft Defender for Identity's security posture assessments.
Global search in Microsoft 365 Defender (using the search bar at the top of the page) allows security teams to look for any entity being monitored by Microsoft 365 Defender, be it identity, endpoint, Office 365 data, and more. Results can be interacted with directly from the search drop-down, or security teams can choose to select All users or All devices to see all entities associated with that search term.
Onboarding and administration
The onboarding process is now automatic for new customers, with no need to manually configure a workspace. Additionally, all the admin features are available under the Identities menu in Microsoft 365 Defender's Settings.
Alerting and incident correlation
Defender for Identity alerts are now included in Microsoft 365 Defender's alert queue, making them available to the auto incident correlation feature. This ensures that all alerts are available in one place, and that the scope of a breach can be determined quicker than before. For more information, see Defender for Identity security alerts in Microsoft 365 Defender.
Advanced hunting (new)
You can now proactively search for threats and malicious activity by using advanced hunting queries. These powerful queries can be used to locate and review threat indicators and entities for both known and potential threats.
Custom detection rules can be built from advanced hunting queries to help you proactively watch for events that might be indicative of breach activity and misconfigured devices. For more information, see Proactively hunt for threats with advanced hunting in Microsoft 365 Defender.
Alert exclusions (updated)
The alert interface is more user friendly, including adding a useful search function. Additionally, it now includes global exclusions. This means that any entity can be excluded from all alerts generated by Defender for Identity, helping with any testing scenarios you may have. For more information, see Configure Defender for Identity detection exclusions in Microsoft 365 Defender.
Defender for Identity data is now included in the Microsoft 365 User and Device entity profiles.
Remediation actions (new)
Defender for Identity remediation actions, such as disabling accounts or requiring password resets, can now be taken from the Microsoft 365 Defender User page. For more information, see Remediation actions in Microsoft Defender for Identity.
Lateral movement paths
In addition to the Lateral movement paths tab on the user page, lateral movement paths can also be discovered via the Advanced hunting feature and the Lateral Movement paths security assessment. For more information, see Microsoft Defender for Identity Lateral Movement Paths (LMPs).
Submit and view feedback for