Microsoft Defender for Identity
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Securing Active Directory: Mastering Microsoft Defender for Identity
Introduction: Why Securing Identity is the Frontline of Defense
In the modern enterprise environment, the identity infrastructure—specifically Active Directory Domain Services (AD DS)—is the "keys to the kingdom." If an adversary compromises your domain controllers, they effectively gain control over every user, computer, and application joined to your domain. For years, attackers have focused on lateral movement, privilege escalation, and credential harvesting to infiltrate networks. Microsoft Defender for Identity (MDI) was designed specifically to combat these threats by shifting the focus from simple perimeter defense to behavior-based identity monitoring.
Unlike traditional security tools that look for known file signatures or malicious IP addresses, Defender for Identity monitors the actual traffic flowing to and from your domain controllers. It analyzes Kerberos tickets, NTLM authentication requests, LDAP queries, and DNS requests to build a baseline of "normal" behavior for every entity in your environment. When it detects an anomaly—such as a user account accessing a sensitive server at 3:00 AM from an unknown IP address or an attempt to use a Pass-the-Hash attack—it flags the activity for investigation.
Understanding MDI is critical for any system administrator or security engineer because it provides visibility into the "blind spots" of Active Directory. Many organizations have robust endpoint protection but lack any visibility into the authentication protocols that keep their domain running. By the end of this lesson, you will understand how MDI works, how to deploy it effectively, and how to interpret the signals it generates to stop attackers before they can escalate their privileges.
The Architecture of Defender for Identity
To secure Active Directory effectively, we must first understand how MDI integrates with your existing infrastructure. MDI operates as a cloud-based service, but it relies on local components to capture data. The primary component is the Defender for Identity Sensor, a lightweight agent installed directly on your domain controllers.
How the Sensor Works
The sensor performs deep packet inspection (DPI) on the traffic hitting the domain controller. It does not require a proxy or a firewall change to inspect traffic; it simply reads the network traffic via port mirroring or by utilizing the Windows Filtering Platform (WFP). Because the sensor resides on the domain controller, it has access to the raw authentication logs and the memory space where sensitive processes occur.
Callout: MDI Sensor vs. Traditional SIEM Agents Many administrators compare MDI sensors to traditional SIEM (Security Information and Event Management) agents. The primary difference is that SIEM agents typically ingest logs (Event IDs) that the domain controller has already processed and written to disk. MDI sensors, however, capture real-time network traffic and kernel-level events that often never make it into the event logs. This allows MDI to detect sophisticated attacks like "Golden Ticket" or "Silver Ticket" attacks that rely on forged Kerberos tickets, which are often invisible to standard log-based monitoring.
The Cloud Service
Once the sensor collects the data, it sends the parsed information—not the raw packet data—to the MDI cloud service. The cloud service performs the heavy lifting, applying machine learning models to correlate events across different domain controllers and different entities. This centralized approach allows Microsoft to update detection logic globally as new attack patterns emerge, ensuring your defenses stay current without requiring you to manually update local agents every week.
Key Detection Capabilities: What MDI Actually Finds
Defender for Identity is not just a logging tool; it is an active detection engine. It specializes in identifying the specific techniques used by attackers during the "post-compromise" phase of an attack.
1. Reconnaissance Detection
Attackers rarely start by crashing a server. They start by mapping the network. MDI monitors for:
- Directory Services Reconnaissance: Excessive LDAP queries from an unusual workstation that enumerates all users or groups.
- DNS Reconnaissance: Probing DNS records to identify where internal services are hosted.
- SAM-R Enumeration: Using tools like
net.exeorrpcclientto query the Security Account Manager (SAM) to find local administrators.
2. Compromised Credential Detection
Once an attacker has a foothold, they try to elevate their privileges. MDI excels at detecting:
- Pass-the-Hash (PtH): Identifying when an NTLM hash is reused from an unauthorized machine.
- Pass-the-Ticket (PtT): Detecting forged Kerberos tickets that are used to impersonate other users.
- Brute Force and Password Spraying: Identifying patterns where an attacker tries a common password against hundreds of accounts to avoid triggering a lockout threshold.
3. Lateral Movement
This is the "bread and butter" of identity-based attacks. MDI monitors for:
- Remote Execution: Detecting the use of tools like PsExec or WMI to execute commands on remote servers.
- Unusual Service Logons: When a service account suddenly logs into a workstation it has never accessed before.
Note: MDI does not block traffic by default. It is an alerting and behavioral analysis platform. While it provides the data necessary to block an attack, you must integrate it with Microsoft Defender for Endpoint or your automated response workflows (like Logic Apps) to take action.
Step-by-Step Deployment Guide
Deploying Defender for Identity is a multi-step process that requires access to the Microsoft 365 Defender portal. Follow these steps to ensure a stable and effective rollout.
Step 1: Create the Defender for Identity Instance
- Navigate to the Microsoft 365 Defender portal.
- Go to Settings > Identities > Defender for Identity.
- Click Create instance. This creates the workspace in the cloud where your identity data will be stored.
Step 2: Configure the Directory Service Account
The sensor needs permission to read Active Directory objects to provide context to the alerts (e.g., mapping a SID to a real username).
- In the MDI settings, select Directory services.
- Provide the credentials for a Group Managed Service Account (gMSA) or a standard service account with read-only permissions to the domain.
- Ensure this account has "Read-only" access to the deleted objects container if you want to track changes to deleted accounts.
Step 3: Install the Sensors
- Download the sensor installer from the MDI portal.
- On each domain controller, run the installer.
- During installation, you will be prompted for your Access Key. Copy this from the MDI portal settings.
- Once installed, the sensor will take a few minutes to register and begin the "Learning Phase."
Step 4: The Learning Phase
When the sensor first starts, it does not send alerts immediately. It spends approximately 30 days analyzing your network traffic to establish a baseline. Do not expect comprehensive alerts during this initial period. Instead, focus on verifying that all domain controllers are reporting "Healthy" status in the portal.
Practical Examples: Analyzing an Alert
Let's walk through a common scenario: An MDI alert titled "Suspicious activity related to a sensitive account."
Scenario: A domain administrator account, admin_svc, is used to log into a workstation named WS-05.
- The MDI finding: The alert shows the source computer (
WS-05), the destination (the Domain Controller), and the time of the event. - The Context: MDI displays the "Sensitive Groups" associated with this user. Because
admin_svcis a member of "Domain Admins," MDI flags this as high-risk behavior. - The Investigation: You click on the user profile in the MDI dashboard. You see that this user has never logged into
WS-05in the last 60 days. You also see thatWS-05belongs to a junior developer who has no business access to domain controller management tools.
Action: You immediately reach out to the developer. It turns out their machine was infected with malware that scraped the memory of a browser where the admin had briefly logged in to check a ticket. Because you had MDI, you caught the lateral movement the moment the admin credentials touched that compromised machine.
Best Practices for Maintaining MDI
Deploying MDI is not a "set it and forget it" task. To maintain a secure environment, adhere to these operational standards.
1. Monitor Sensor Health
If a sensor goes offline, that domain controller is effectively "dark." Attackers often target the security tools themselves. If you see a sensor go offline, prioritize it as a high-severity incident. Configure email alerts in the MDI portal to notify your team immediately if any sensor status changes to "Inactive."
2. Leverage "Sensitive Groups" Tags
MDI allows you to tag specific groups as "Sensitive." By default, it tags groups like "Domain Admins" and "Enterprise Admins." However, you should add your own groups, such as "Backup Operators" or "Help Desk Managers," to this list. This ensures that any suspicious activity involving these accounts triggers a higher-alert priority.
3. Integrate with Microsoft Sentinel
While the MDI portal is excellent for identity-specific alerts, it is even more powerful when piped into a SIEM like Microsoft Sentinel. By correlating MDI identity alerts with firewall logs, endpoint logs, and cloud application logs, you can build a complete picture of an attack lifecycle.
4. Regularly Review the "Entities" List
The MDI dashboard provides a list of all entities in your AD. Use this to identify "stale" accounts—service accounts that haven't been used in months, or accounts belonging to employees who have left the company. Disabling these accounts reduces the attack surface significantly.
Tip: If you are using a hybrid environment (on-premises AD synced to Entra ID), ensure you have integrated your MDI alerts with Entra ID Protection. This allows for automated conditional access policies, such as forcing a password reset if MDI detects a "Golden Ticket" attack on an account.
Common Pitfalls and How to Avoid Them
Even with a well-configured tool, mistakes happen. Here are the most common pitfalls I see in the field.
Pitfall 1: Ignoring the "Learning Phase"
Many admins get frustrated when they don't see alerts on day one and start tuning settings prematurely. This leads to a high volume of false positives later.
- Avoidance: Be patient. Let the machine learning models complete the 30-day baseline. If you must tune, do it by creating "Exclusions" for known administrative scripts rather than disabling detection rules.
Pitfall 2: Over-reliance on Default Settings
The default configuration is a great starting point, but it is not customized for your environment. If you have a legacy application that uses insecure LDAP queries, you might be flooded with alerts.
- Avoidance: Use the "Exclude" feature for specific IP addresses or service accounts that are known to perform "noisy" but legitimate activities. Document every exclusion thoroughly so you don't forget why you made that exception.
Pitfall 3: Failing to Secure the Sensor
The MDI sensor runs with high privileges on the domain controller. If an attacker gains local admin rights on the DC, they could theoretically tamper with the sensor.
- Avoidance: Ensure your domain controller hardening standards are strictly enforced. Use Tiered Administration models to ensure that Domain Admins never log into lower-tier workstations.
Comparison: Traditional AD Auditing vs. MDI
| Feature | Traditional Event Logs | Microsoft Defender for Identity |
|---|---|---|
| Data Source | Local Event Log Files | Real-time Network Traffic (DPI) |
| Visibility | Limited to logged events | Deep insight into authentication protocols |
| Detection | Pattern matching (static) | Behavioral analytics (machine learning) |
| Lateral Movement | Very difficult to track | Primary focus of the engine |
| Setup Effort | Low (enabled by default) | Medium (requires sensor deployment) |
| Actionability | Requires manual correlation | Contextual alerts with investigation paths |
Advanced Troubleshooting: When Things Go Wrong
If you find that your MDI sensors are not reporting data, follow this systematic troubleshooting approach.
- Check Service Status: Ensure the "Azure Advanced Threat Protection Sensor" service is running on the domain controller. If it is stopped, check the Event Viewer for the source "Azure Advanced Threat Protection" to identify start-up errors.
- Network Connectivity: The sensor must be able to communicate with the MDI cloud service over port 443. Use
Test-NetConnection -ComputerName <your-workspace>.atp.azure.com -Port 443from the domain controller to verify connectivity. - Sensor Logs: The logs are located in
C:\Program Files\Azure Advanced Threat Protection Sensor\<Version>\Logs. TheMicrosoft.Tri.Sensor.Updater.logis particularly useful for identifying why a sensor failed to register or update. - WFP Filtering: If you have third-party network security software or antivirus on your domain controllers, ensure they are not blocking the MDI sensor's access to the network stack. You may need to add an exclusion for the MDI process.
Strategic Considerations: Moving Beyond Basic Detection
To truly secure your infrastructure, you must treat identity as the perimeter. This means moving away from the "castle and moat" mentality where you only worry about what comes through the firewall.
The Principle of Least Privilege
MDI will often show you that many service accounts have "Domain Admin" rights when they only need "Read" access to a specific OU. Use the MDI "Lateral Movement Paths" feature to identify which accounts are over-privileged. This feature visually maps out how an attacker could move from a low-privilege user to a domain administrator. If you see a path that involves a service account with too much power, prioritize reducing that account's permissions.
Incident Response Integration
When MDI fires an alert, it should trigger a response. Define an Incident Response (IR) playbook. For example:
- Low Severity: Log the event and notify the IT team via email.
- Medium Severity: Automatically disable the user account in AD and force a password reset.
- High Severity: Isolate the source workstation from the network using Microsoft Defender for Endpoint and notify the Security Operations Center (SOC).
Callout: The "Lateral Movement Path" Advantage The most powerful feature in MDI is the "Lateral Movement Path." It doesn't just tell you that an attack is happening; it shows you the potential path an attacker could take to reach your domain controllers. By visualizing these paths, you can proactively harden your environment by breaking the chain—removing local admin rights, rotating service account passwords, or restricting where sensitive accounts can log in.
Industry Recommendations and Best Practices
To wrap up the technical deployment, keep these industry standards in mind:
- Use gMSAs: Wherever possible, use Group Managed Service Accounts instead of standard user accounts for services. MDI handles gMSAs much better, and they offer automated password rotation, which prevents long-term credential theft.
- Tiered Administration: Implement the "Tiered Administration" model (Red Forest or similar). Ensure that Domain Admins never log into Tier 1 (workstations) or Tier 2 (member servers). MDI will quickly alert you if this policy is violated.
- Continuous Monitoring: Do not treat security as a project with a start and end date. Review your MDI dashboard at least once a week. Look for "Suspicious activities" that didn't trigger a high-severity alert but indicate a change in user behavior.
- Documentation: Keep a record of all "ignored" alerts. If you decide that a specific type of traffic is "normal" for your company, document the business justification. This is essential for compliance audits.
Common Questions (FAQ)
Q: Does MDI affect domain controller performance? A: MDI is highly optimized. It uses a very small footprint and is designed to have a negligible impact on CPU and memory. However, on extremely busy domain controllers (handling thousands of authentications per second), you should monitor performance during the first week of deployment.
Q: Can I use MDI if I have a multi-domain forest? A: Yes. You must install a sensor on every domain controller in every domain within the forest to get full visibility. MDI supports multi-domain, multi-forest environments.
Q: Is MDI a replacement for a firewall? A: No. MDI is an identity-focused security tool. It does not inspect traffic for malware payloads or block external malicious web traffic. It complements your existing security stack.
Q: What happens if I lose my internet connection? A: The sensors will buffer the data locally for a short time. Once the connection is restored, they will upload the buffered data. However, you will not receive real-time alerts during the outage.
Key Takeaways for Securing AD DS
- Identity is the New Perimeter: Traditional network-based security is insufficient. Monitoring the authentication and authorization traffic within Active Directory is the most effective way to stop modern, identity-based attacks.
- Behavioral Analysis over Signatures: Attackers constantly change their tools. By focusing on behavior (what they do) rather than signatures (what they are), MDI remains effective against new and evolving threats.
- Visibility is Half the Battle: You cannot defend what you cannot see. MDI provides the visibility into Kerberos, NTLM, and LDAP traffic that traditional logging solutions often miss.
- Use the "Learning Phase" Wisely: Do not rush the deployment. Allow the system to build an accurate baseline of your environment to minimize false positives and ensure the alerts you receive are meaningful.
- Prioritize Lateral Movement Paths: Use the visualization tools in MDI to identify and break the paths that lead from low-security workstations to your domain controllers.
- Integrate and Automate: MDI is most powerful when it is part of a larger ecosystem. Connect it to your SIEM and use the alerts to drive automated response workflows.
- Maintenance is Mandatory: An "inactive" sensor is a security gap. Establish a process to monitor the health of your sensors and treat sensor failures as high-priority security incidents.
By mastering Microsoft Defender for Identity, you move from a reactive posture—where you are cleaning up after an attacker—to a proactive posture, where you can see the attacker's footsteps and neutralize them before they reach their goal. Active Directory is the heart of your infrastructure; guarding it requires the specialized, behavior-focused approach that MDI provides.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons