8.5 Defender for Identity
Key Takeaways
- Defender for Identity protects on-premises Active Directory.
- Do not treat Defender for Identity as the same thing as Microsoft Entra ID Governance.
- On-premises Active Directory wording is the strongest product-matching cue.
- Identity security products can sit in different exam domains, so read the scenario carefully.
Protecting On-Premises Active Directory
Defender for Identity protects on-premises Active Directory. This wording comes directly from the source brief and is the safest way to answer SC-900 product-matching questions about this Defender service. If the prompt names on-premises Active Directory protection, choose Defender for Identity.
The word identity can be tricky because Microsoft Entra has a large exam domain. Microsoft Entra ID, Conditional Access, roles, role-based access control, identity governance, access reviews, Privileged Identity Management, lifecycle governance, and ID Protection all live in the identity and access management part of the exam. Defender for Identity is in the Microsoft security solutions domain and has the specific on-premises Active Directory protection boundary.
| Scenario cue | Best product area | Why |
|---|---|---|
| Protect on-premises Active Directory | Defender for Identity | Direct source brief wording |
| Conditional Access | Microsoft Entra | Access management topic |
| Privileged role activation | Microsoft Entra PIM | Governance and least privilege topic |
| Access reviews | Microsoft Entra ID Governance | Review access over time |
A good exam habit is to read for the action. If the prompt asks to govern access, review access, or activate privileged roles, it is not asking for Defender for Identity. If the prompt asks to protect on-premises Active Directory from a security perspective, it is asking for Defender for Identity. The surface and action together determine the answer.
Do not send Defender for Identity scenarios to Defender for Endpoint. Endpoint devices and on-premises Active Directory are different protected surfaces. Do not send them to Defender for Office 365, which protects email and collaboration workloads. Do not send them to Defender for Cloud Apps, which covers CASB and SaaS app discovery and control.
Use these memory cues:
-
On-premises Active Directory protection means Defender for Identity.
-
Cloud identity, roles, governance, PIM, or Conditional Access means Microsoft Entra.
-
Endpoint device protection means Defender for Endpoint.
-
Email and collaboration means Defender for Office 365.
-
SaaS app discovery and control means Defender for Cloud Apps.
SC-900 does not require deep deployment knowledge here. It requires precise vocabulary. Defender for Identity is a Defender security product, while many other identity words in the exam belong to the Microsoft Entra domain.
Identity Decision Check
Identity wording is not enough by itself. Defender for Identity is specifically about protecting on-premises Active Directory. Microsoft Entra handles many identity and access management concepts, including Conditional Access, roles, governance, PIM, access reviews, and ID Protection, so use the scenario action to separate them.
-
On-premises Active Directory protection means Defender for Identity.
-
Access governance means Microsoft Entra.
-
Endpoint, Office, and SaaS app scenarios use different Defender services.
Which Microsoft Defender service protects on-premises Active Directory?
A scenario asks about Conditional Access and access reviews. Which product area is a better match than Defender for Identity?
Which wording is the strongest cue for Defender for Identity?