Microsoft Defender for Identity

Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) protects your on-premises Active Directory environment from the identity-based attacks that are responsible for the vast majority of serious data breaches. It monitors all Active Directory traffic in real time and uses behavioural analytics to detect attacks that traditional antivirus and firewall tools completely miss.

What’s Included

• Real-time Active Directory monitoring — Defender for Identity installs a lightweight sensor on your Domain Controllers. It reads Active Directory logs and network traffic in real time, with no performance impact and no need to mirror network traffic.
• Attack detection — specific threats identified:
  • Pass-the-hash and Pass-the-ticket — Detects when attackers steal Kerberos tickets or NTLM hashes to impersonate privileged users without needing their passwords
  • Golden ticket and Silver ticket attacks — Detects forged Kerberos tickets used to maintain persistent access with forged domain admin privileges
  • Lateral movement paths — Maps how an attacker could move from a compromised user account to a Domain Admin using existing trust relationships and credentials cached on endpoints
  • Reconnaissance — Detects LDAP enumeration, DNS reconnaissance, account enumeration, and network mapping by attackers surveying your environment
  • DCSync attacks — Detects when a non-DC computer requests replication data from a Domain Controller — a common technique to extract all password hashes from Active Directory
  • Brute force and password spray — Detects repeated authentication failures consistent with automated credential guessing attacks
• Behavioural baselines — Defender for Identity learns normal behaviour for every user and computer in your environment, then alerts when behaviour deviates — accessing systems at unusual hours, from unusual locations, or with unusual privilege escalation patterns.
• Identity security posture assessments — Identifies misconfigurations in Active Directory that attackers commonly exploit: accounts with no pre-auth, unconstrained delegation, dormant admin accounts, and accounts with non-expiring passwords.
• Integration with Microsoft 365 Defender — Identity alerts appear alongside endpoint, email, and cloud app signals in the unified Microsoft 365 Defender incident view, giving a complete attack picture across the entire kill chain.

Requirements

• On-premises Active Directory Domain Services (AD DS) environment
• Sensor installed on each Domain Controller (lightweight, no reboot required)
• Internet connectivity from sensors to the Defender for Identity cloud service

Ideal For

Any organisation with an on-premises Active Directory environment. Given that over 80% of data breaches involve compromised credentials and identity-based attacks, Defender for Identity is one of the highest-value security investments available — particularly for organisations running hybrid (AD + Azure AD) environments where attackers move between on-premises and cloud.