8.5 Defender for Identity
Key Takeaways
- Defender for Identity (formerly Azure Advanced Threat Protection / Azure ATP) is a cloud service that uses on-premises Active Directory signals to detect identity threats.
- Sensors installed on domain controllers and AD FS/AD CS servers monitor traffic and authentication, sending signals to the cloud.
- It detects reconnaissance, compromised credentials, lateral movement, and domain dominance across the identity kill chain.
- It protects on-prem AD identities — distinct from Microsoft Entra ID Protection, which protects cloud (Entra) identities.
- It is a security/Defender service, not an access-management or governance feature.
Protecting On-Premises Active Directory Identities
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection / Azure ATP) is a cloud-based security solution that uses signals from your on-premises Active Directory to identify, detect, and investigate advanced identity threats and malicious insider actions. The product runs in the cloud, but its source of truth is the on-prem AD environment, where most credential-theft and lateral-movement attacks play out. When SC-900 describes detecting attacks against on-premises Active Directory — Pass-the-Hash, Pass-the-Ticket, reconnaissance, lateral movement, or domain dominance — the answer is Defender for Identity.
How It Works — Sensors
Defender for Identity collects telemetry through lightweight sensors installed directly on domain controllers (and optionally AD FS and AD CS servers). The sensors monitor domain-controller network traffic, Windows events, and authentication activity, then send parsed signals to the Defender for Identity cloud service for analysis. No separate port-mirroring appliance is required (the modern sensor sits on the DC itself).
The cloud service applies User and Entity Behavioral Analytics (UEBA), threat intelligence, and known attack patterns to surface alerts, which flow into the Microsoft Defender portal as part of unified Defender XDR incidents.
What It Detects — the Identity Kill Chain
Defender for Identity maps detections to the stages of an identity-based attack:
| Attack phase | Example detections |
|---|---|
| Reconnaissance | Account/group enumeration, SAM-R queries, DNS reconnaissance |
| Compromised credentials | Brute force, suspicious authentications, abnormal sign-ins |
| Lateral movement | Pass-the-Hash, Pass-the-Ticket, overpass-the-hash, lateral movement paths |
| Domain dominance | DCSync, DCShadow, Golden Ticket, suspicious service creation |
It also computes lateral movement paths showing how an attacker could pivot from a non-sensitive account to a privileged one, helping defenders close those paths proactively.
The "Identity" Word Trap
"Identity" appears all over SC-900, so the word alone is not enough. Separate Defender for Identity from the Microsoft Entra identity domain:
| Concern | Product | Domain |
|---|---|---|
| Detect threats against on-premises AD | Defender for Identity | Security (Defender) |
| Detect risky cloud (Entra) sign-ins/users | Microsoft Entra ID Protection | Identity |
| Enforce Conditional Access / MFA | Microsoft Entra Conditional Access | Identity |
| Just-in-time privileged role activation | Microsoft Entra PIM | Identity |
| Access reviews / lifecycle governance | Microsoft Entra ID Governance | Identity |
The sharpest distinction is Defender for Identity (on-prem AD) vs. Entra ID Protection (cloud Entra identities) — both are about identity threat detection, but on different surfaces. If the prompt asks to govern, review, or activate access, it is Entra governance/PIM, not Defender for Identity. If it asks to detect an attacker abusing on-prem AD, it is Defender for Identity.
Also keep it apart from the other Defender workloads: it is not Defender for Endpoint (devices), not Defender for Office 365 (email), and not Defender for Cloud Apps (SaaS apps).
Quick cues
- "Detect Pass-the-Hash / lateral movement in on-prem Active Directory" → Defender for Identity.
- "Risky cloud sign-in detected for an Entra user" → Entra ID Protection.
- "Review who has access / activate an admin role just in time" → Entra ID Governance / PIM.
Why On-Premises AD Needs Its Own Defender
Most organizations still run on-premises Active Directory (often synchronized to the cloud via hybrid identity), and attackers love it because a single compromised account can be escalated to domain dominance — effective control of the whole directory. Traditional perimeter and antivirus tools are blind to the identity-layer techniques attackers use inside AD: enumerating accounts, replaying stolen tickets, abusing replication. Defender for Identity exists to watch exactly those signals, applying behavioral analytics to authentication and directory traffic that a domain controller sees but rarely scrutinizes.
Because it is cloud-managed, Defender for Identity needs no on-prem analytics infrastructure — the sensors on the domain controllers do lightweight collection and send signals up to the service, where machine learning baselines normal behavior per user and entity. Alerts arrive pre-correlated into the Microsoft Defender portal and become part of Defender XDR incidents, so an on-prem AD attack appears alongside the related endpoint, email, and SaaS-app activity in one story.
Defender for Identity vs. Entra ID Protection — the Sharpest Distinction
Both detect identity threats, but on different identity stores. The exam loves this pair:
| Defender for Identity | Microsoft Entra ID Protection | |
|---|---|---|
| Identity store | On-premises Active Directory | Cloud Microsoft Entra ID |
| Detects | Lateral movement, recon, domain dominance | Risky sign-ins, leaked credentials, risky users |
| Domain on SC-900 | Security (Defender) | Identity (Entra) |
| Data source | DC/AD FS sensors | Cloud sign-in and user-risk signals |
If the scenario mentions domain controllers, Kerberos/NTLM attacks, Pass-the-Hash, or on-prem AD, choose Defender for Identity. If it mentions cloud sign-in risk, leaked credentials in the cloud, or risk-based Conditional Access, choose Microsoft Entra ID Protection. And if it mentions managing access — reviews, role activation, entitlement management — that is Entra ID Governance / PIM, not a threat-detection product at all.
The single most reliable trigger word for Defender for Identity is on-premises Active Directory: whenever a scenario names the on-prem directory, domain controllers, or classic AD attack techniques, Defender for Identity is the intended answer, while every cloud-identity term routes to the Microsoft Entra family instead.
Which service uses signals from on-premises Active Directory to detect lateral movement and compromised credentials, and was formerly called Azure ATP?
How does Defender for Identity collect its telemetry?
A risky sign-in is detected for a cloud Microsoft Entra user account. Which service handles this, rather than Defender for Identity?
Which scenario is a Microsoft Entra governance task rather than a Defender for Identity task?