Why Identity Has Become the Primary Attack Surface
Modern attacks overwhelmingly target identity infrastructure first. Rather than immediately deploying malware or exploiting endpoints, attackers now focus on credential theft, directory reconnaissance, Kerberos abuse, NTLM relay, and lateral movement inside Active Directory.
Domain controllers, service accounts, certificate services, and federation servers represent some of the highest‑value assets in the enterprise. Once compromised, they enable persistence, privilege escalation, and complete domain takeover with very little noise.
Microsoft Defender for Identity (MDI) was built specifically to address this problem by analyzing authentication behavior, directory activity, and identity relationships across on‑premises and hybrid environments.
What Microsoft Defender for Identity Does
Defender for Identity continuously monitors identity signals from Active Directory, AD FS, AD CS, and Entra Connect servers. These signals are analyzed using behavioral analytics, baselining, and cloud intelligence to detect suspicious activity that traditional log monitoring often misses.
- Detects credential theft and replay techniques such as pass‑the‑hash and pass‑the‑ticket
- Identifies lateral movement and privilege escalation paths
- Monitors NTLM authentication and legacy protocol usage
- Surfaces insecure Active Directory and certificate configurations
- Correlates identity events into Microsoft Defender XDR incidents
Licensing Requirements (And Why Many Organizations Already Own It)
One of the most common reasons Defender for Identity is not deployed is simple confusion around licensing. In reality, many organizations are already licensed but have never enabled the service.
Defender for Identity is included with Microsoft 365 E5, Microsoft 365 E5 Security, Enterprise Mobility + Security E5, and F5 Security add‑on licenses. It is also available as a standalone SKU.
Licensing is user‑based, but deployment is tenant‑wide. A single qualifying license enables the service, but organizations must ensure appropriate user licensing for compliance.
Deployment Architecture Overview
Defender for Identity uses lightweight sensors that collect identity signals directly from domain controllers and identity‑related servers. These sensors transmit telemetry securely to the Microsoft Defender cloud service for analysis.
Best practice deployment includes sensors on:
- All writable and read‑only domain controllers
- Active Directory Federation Services (AD FS) servers
- Active Directory Certificate Services (AD CS) servers
- Microsoft Entra Connect servers
Why a gMSA Directory Services Account Is Critical
Defender for Identity relies on a directory services account to read objects in Active Directory. While a traditional domain admin account can technically work, it introduces operational fragility and security risk.
Group Managed Service Accounts (gMSA) provide automatic password rotation, reduced credential exposure, and long‑term reliability. Using a gMSA avoids outages caused by expired passwords and aligns with least‑privilege design.
Audit Configuration: The Difference Between “Installed” and “Effective”
Defender for Identity detections depend heavily on Windows security auditing. Without correct audit policies, sensors may appear healthy while detections remain incomplete.
Advanced auditing must be enabled on domain controllers for authentication, account management, directory service access, and system events. NTLM auditing is especially important for visibility into legacy authentication paths.
AD Certificate Services auditing is frequently overlooked, despite certificate abuse being one of the fastest‑growing attack techniques in modern identity breaches.
Why Defender for Identity Should Be Deployed in Every AD Environment
Identity remains the one control plane that attackers must eventually touch. Defender for Identity provides visibility where traditional EDR and SIEM tools fall short.
- Early detection of compromised credentials before domain takeover
- Continuous identification of insecure directory configurations
- Unified incidents across endpoint, email, and identity telemetry
- High return on investment for organizations already licensed
Defender for Identity is not just a detection tool—it is a foundational identity security control and a critical component of Zero Trust architecture.