Protecting Identities Using Microsoft Defender For Identity Part 1 – Introductions


Encountering some difficult terms and in need of some extra info? Scroll down to our FAQ of this article.

Active Directory (AD), the backbone of most business operations, presents a particularly enticing target for cybercriminals due to its critical role in identity management. That’s why Microsoft developed a robust solution: Microsoft Defender for Identity (MDI).

In this first part of our series, we’ll explore how MDI helps safeguard organizations from identity-based threats, with insights from Orlox’s implementation expertise. Stay tuned for our next entry, which will include a hands-on tutorial detailing how to effectively use MDI within your organization.

What Is Microsoft Defender For Identity?

Active Directory (AD) is still at the heart of most businesses today. Although being extremely critical, it also offers a large attack surface for any potential attacker. This is why a lot of cyber attacks have shifted to identity-based attacks, as they offer the most bang for the buck. These attacks may lead to a security breach and cause considerable damage to any organization.

To help organizations stay aware of these advanced persistent threats, Microsoft created Microsoft Defender for Identity (MDI).

Microsoft Defender for Identity can help organizations to:

  • Prevent breaches, using proactive identity security posture assessments
  • Detect threats, using real-time analytics and data intelligence
  • Investigate suspicious activities, using clear, actionable incident information
  • Respond to attacks, using automatic response to compromised identities

Going back to the previous chapter, where we identified the Cyber attack kill chain, we can identify the following threats using Defender for Identity

ThreatHow does Defender for Identity help you?
ReconnaissanceIdentify rogue users and attackers’ attempts to gain information.

Attackers search for information about user names, users’ group membership, IP addresses assigned to devices, resources, and more, using various methods.
Compromised credentialsIdentify attempts to compromise user credentials using brute force attacks, failed authentications, user group membership changes, and other methods.
Lateral movementsDetect attempts to move laterally inside the network to gain further control of sensitive users, utilizing methods such as Pass the Ticket, Pass the Hash, Overpass the Hash and more.
Domain dominanceView highlighted attacker behavior if domain dominance is achieved. For example, attackers might run code remotely on the domain controller, or use methods like DC Shadow, malicious domain controller replication, Golden Ticket activities, and more.

How Does Microsoft Defender For Identity Work?

Microsoft Defender for Identity uses sensors to gather and analyze data from your Active Directory domain controllers, Azure Active Directory, and Microsoft 365 services. The sensors send the data to the cloud, where it is processed by advanced machine learning algorithms and threat intelligence. The cloud service then produces alerts and recommendations based on the detected activity and risk level.

You can see and manage the alerts and recommendations from the Microsoft Defender for Identity portal or integrate them with other security solutions such as Microsoft Defender for Endpoint, Microsoft 365 Defender, or Azure Sentinel.

Defender for Identity consists of the following components:

  • Microsoft Defender portal
    The Microsoft Defender portal creates your Defender for Identity workspace, displays the data received from Defender for Identity sensors, and enables you to monitor, manage, and investigate threats in your network environment.
  • Defender for Identity sensor Defender for Identity sensors can be directly installed on the following servers:
    • Domain controllers: The sensor directly monitors domain controller traffic, without the need for a dedicated server, or configuration of port mirroring.
    • AD FS / AD CS: The sensor directly monitors network traffic and authentication events.
  • Defender for Identity cloud service
    Defender for Identity cloud service runs on Azure infrastructure and is currently hosted in the US, Europe, Australia East, and Asia. Defender for Identity cloud service is connected to Microsoft’s intelligent security graph.

Licensing Requirements

Deploying Defender for Identity requires one of the following Microsoft 365 licenses:

  • Enterprise Mobility + Security E5 (EMS E5/A5)
  • Microsoft 365 E5 (Microsoft E5/A5/G5)
  • Microsoft 365 E5/A5/G5 Security
  • A standalone Defender for Identity license


As we have seen, Microsoft Defender for Identity offers a comprehensive toolset designed to protect against the evolving threats targeting Active Directory and Azure Active Directory environments. As a trusted partner, Orlox is equipped to help integrate these advanced protections into your security strategy, ensuring that your identity infrastructure is both resilient and compliant.

Join us for the next installment of this series, where we will dive deeper with a practical, hands-on tutorial on setting up and optimizing Microsoft Defender for Identity. If you’re looking to enhance your organization’s security posture or require expert guidance on implementing MDI, don’t hesitate to contact Orlox today. Let us help you fortify your defenses and navigate the complex landscape of cybersecurity.


Attack surface

An organization’s attack surface is the sum of vulnerabilities, pathways, or methods—sometimes called attack vectors—that cybercriminals can use to gain unauthorized access to the network or sensitive data, or to carry out a cyberattack.

Identity-based threat

An identity-based attack is a type of cyber attack that targets and compromises the digital identity of individuals and organizations. In this type of attack, a cybercriminal tries to steal, alter and misuse an individual’s identity-related information such as their login credentials, domain names, personal data or digital certificates.

Security posture

Security posture is the understanding of the security status of the asset inventory and the level of preparedness to prevent, detect, mitigate or remediate security events.

Threat intelligence

Threat intelligence is data that is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors. Threat intelligence enables us to make faster, more informed, data-backed security decisions and change their behavior from reactive to proactive in the fight against threat actors.

Want to know more? Contact us or read more about our Services.