Microsoft SC200 Certification - Microsoft Endpoint & eXtended Detection Response (EDR/XDR) Part 2B - Microsoft Defender for Identity (MDI)
- brencronin
- Dec 30, 2025
- 8 min read
Microsoft Defender for Identity (MDI)
Identity Protection: Understanding and Addressing Identity-Based Threats
Identity protection focuses on identifying and mitigating weaknesses and threats related to identity systems. The adage "Identity is the new perimeter" may be overused, but it accurately highlights the reality of modern cybersecurity. Threat actors target identities because they grant access to systems and sensitive information. With the growing shift to cloud-based environments, compromising identities has become an easier and more effective attack vector. Once an identity is compromised, attackers inherit the same access and privileges as the legitimate user. Identity threat and hacks are becoming so ubiquitous that there is a new domain of cyber tooling referred to as Identity Threat Detection & response' (ITDR) tools.
For cybersecurity professionals handling incidents, it's clear that identity compromises far outnumber system compromises. This is because compromising identities is often simpler than breaching hardened systems.
Identity Protection Tools: On-Premise vs. Cloud
Exploring the landscape of identity protection tools reveals two primary categories:
Protection for traditional on-premises Active Directory (AD) identities
Protection for cloud-based Azure identities
While many organizations synchronize on-premise and cloud identities, there are key differences in how these systems are attacked and defended. These differences necessitate tailored detection, prevention, and alerting tools for each environment.
Commonalities between On-Premise and Cloud Identity Cyber Protection Systems
Both on-premise and cloud identity systems share critical traits:
Dynamic Nature: Identity systems are constantly evolving with new accounts, roles, and configurations. Security is not a "set-it-and-forget-it" process. Misconfigurations or weakened settings often provide footholds for attackers. A common attack tactic involves reverting identity configurations to a weaker state, enabling exploitation.
Continuous Monitoring: Effective identity protection requires ongoing analysis of configurations and logs to identify vulnerabilities or signs of exploitation. An ideal system continuously scans for weak configurations and alerts on potential exploitation chains.
Behavioral Insights: Usage patterns and log data are critical for identifying abnormal behavior that could indicate compromised identities.
Honeypot type features: Facilitates the creation and monitoring of decoy (i.e., 'Honey') accounts/tokens specifically designed to appear enticing to threat actors. These accounts are not used in normal operations but serve as bait, helping detect and monitor malicious activity within your organization. https://jeffreyappel.nl/how-to-use-deception-in-microsoft-defender-for-endpoint-defender-xdr/
Microsoft’s Identity Protection Ecosystem
Microsoft provides distinct tools for identity protection across environments:
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection): Focused on on-premises Active Directory environments.
Entra ID Protection (formerly Azure AD Identity Protection): Designed for cloud-based identity systems under the Azure Entra umbrella.
Recently, Microsoft has unified its branding, merging Entra ID Protection into Microsoft Defender for Identity, streamlining its identity protection solutions under a single name.
Understanding On-Premise Identity Weaknesses and Attacks
On-premise identity systems, particularly Active Directory (AD), are frequent targets for attackers. Once inside the environment, threat actors commonly use tools such as BloodHound, Impacket, Rubeus, and Mimikatz to enumerate and exploit the AD environment. Their goals often include:
Dumping account hashes to crack passwords offline.
Exploiting weak configurations that expose accounts to attacks like AS-REP roasting & Kerberoasting, DCSync, etc
These attacks rely on misconfigurations where the domain controller provides account hashes upon request. For instance, service accounts can be configured to prevent "roasting" attacks, but improper settings leave them vulnerable.
Role and mechanism for on-premise of Identity Protection Systems
Effective identity protection systems serve two critical functions:
Proactive Weakness Detection: Continuously analyze AD configurations to identify and report vulnerabilities, such as "roastable" accounts, before attackers exploit them.
Real-Time Attack Detection: Monitor domain controller logs for suspicious patterns, such as unusual account information requests indicative of active attacks.
To achieve these goals, specialized sensors are deployed to:
Pull AD configurations to detect weak or exploitable settings, often referred to as Indicators of Exposure (IoE).
Analyze domain controller log data for attack patterns, known as Indicators of Attack (IoA).
Tools for On-Premise Identity Protection
Several tools exist to protect on-premise AD environments. Notable examples include:
Microsoft Defender for Identity: Traditionally relied on dedicated sensors to collect AD configurations and monitor authentication events. https://jeffreyappel.nl/how-to-implement-defender-for-identity-and-configure-all-prerequisites/
Tenable Identity Exposure (IE) (formerly Tenable AD): Deploys external sensors to perform similar tasks, identifying IoEs and IoAs through communication with domain controllers.
Microsoft recently announced that its identity protection solution no longer requires separate sensors. This shift likely integrates sensor capabilities into the Defender agent installed on domain controllers, streamlining the deployment process. Regardless of implementation, identity protection systems must have a mechanism, whether external sensors or built-in agents, to:
Continuously review AD configurations for weaknesses.
Analyze authentication logs for signs of compromise.
Cyber Deception
Cyber deception products are often associated with Microsoft on-premises identity protection solutions due to their tight integration with Active Directory and on-premises systems. These tools work by seeding environments, most commonly through Active directory, with realistic fake users, credentials, and tokens so that, if an attacker compromises a system, they encounter built-in tripwires along common attack paths such as Kerberoasting, credential dumping, and hash extraction. Cyber deception capabilities are typically built around lures (e.g., fake documents and cached credentials) and decoys (e.g., simulated devices and accounts). When these elements are linked together into a credible narrative that mirrors real operational workflows, they reliably attract attacker interaction and provide high-fidelity detection with minimal false positives.
Cloud Identity Protection with Entra ID Protection
Cloud identity protection through Entra ID Protection introduces unique threats and telemetry, distinct from on-premise systems. One significant advantage of cloud-based systems is their ability to leverage advanced analytics on logon activity, allowing Microsoft to analyze patterns such as:
The geographic location and IP address of the login.
The user-agent used for authentication.
The specific resource or application accessed.
This rich telemetry enables advanced threat detection by identifying anomalies, such as:
Unfamiliar IPs or devices: For example, when a user logs in from a new IP address or with a different device.
Impossible travel patterns: Logins occurring from geographically distant locations within an unrealistically short timeframe.
Conditional Access
Microsoft Entra's expanded data signals enable the powerful Conditional Access feature, allowing organizations to dynamically enforce security policies using an if-then logic structure. This approach lets administrators create tailored access rules based on real-time conditions.
For example:
If a login attempt originates from an unusual location, then block access.
If a user logs in from a non-compliant device, then allow access only after completing an additional verification step, such as multi-factor authentication (MFA).
Conditional Access enhances security by responding to risk signals dynamically, reducing reliance on static policies and improving adaptability to evolving threats.
For more details, visit: https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview
Review: for hybrid users self remediation to work they need to have password writeback enabled. This allows for a users password to be reset in the cloud and written to the on prem domain controller.
Device risks:
Sign-In Risk Detections
Microsoft Entra ID Protection incorporates a variety of premium sign-in risk detections based on these data points:
Anonymous IP Address Usage: Flags logins originating from anonymized sources like Tor or VPN services. (Defender for Cloud Apps)
Additional Risk Detected: This alert indicates that other risk factors have been observed for a user, combining multiple signals to increase the overall risk level. It serves as a catch-all for scenarios where suspicious activity doesn't fit neatly into predefined categories but still warrants investigation.
Admin Confirmed User Compromised: This alert is triggered when an administrator manually flags a user as compromised, typically after verifying malicious activity or suspicious behavior. It ensures that the account is immediately treated as high-risk and subject to remediation steps, such as requiring a password reset or blocking access.
Anomalous Token: Flags session tokens with irregular properties, such as abnormal lifetimes or use from unknown locations. Can have a high number of false positives. When investigating analyze the location, application, IP address, and user-agent for inconsistencies with normal user behavior.
Atypical Travel: A machine learning algorithm detects logins from unusual locations. Goes through an initial learning phase to establish a baseline (14 days or 10 logins). Attempt to exclude common false positives, such as VPN use or organizationally common locations.
Impossible Travel: Distance traveled between logon locations is impossible to travel in the time between logons. (Defender for Cloud Apps)
Malicious IP Addresses: Identifies logins originating from IPs known to be associated with malicious activity.
Mass Access to Sensitive Files: large amounts of sensitive files were accessed. (Defender for Cloud Apps)
Microsoft entre Threat Intelligence: Microsoft Threat Intelligence found related to the activity.
New Country: Activity from a new country. (Defender for Cloud Apps)
Password Spray: Detects widespread attempts to compromise accounts via repeated password guessing across multiple users.
Suspicious Browser Activity: Highlights logins from browsers with unusual characteristics or risky attributes.
Suspicious Inbox Forwarding: Flags scenarios where email forwarding rules are created to send messages to external or unauthorized recipients. Attackers often use this tactic to exfiltrate sensitive information or monitor communications without detection. (Defender for Cloud Apps)
Suspicious Inbox Manipulation Rules: Identifies unusual email rules designed to hide or delete incoming messages, redirect specific emails, or otherwise tamper with inbox behavior. These rules are commonly used by attackers to obscure their activities, such as phishing or account takeover attempts. (Defender for Cloud Apps)
Token Issuer Anomaly: Detects discrepancies in token generation, especially those suggesting misuse or replay attacks.
Unfamiliar Sign-In Properties: Flags IP addresses, devices, ASNs, and user-agents not previously associated with the user. Particularly concerning if detected during non-interactive sign-ins, indicating potential token replay or automation-based attacks.
Verified Threat Actor IP: Verified threat actor.
User Risk Detections
Entra ID Protection also tracks risks specifically linked to user identities:
Additional Risk Detected (User): Indicates that Microsoft has detected multiple risk signals for a user, escalating their overall risk score. This may include unusual behaviors, suspicious logins, or other anomalies that collectively suggest potential compromise.
Anomalous User Activity: Flags unusual or unexpected actions performed by a user, such as accessing unfamiliar resources, using irregular authentication methods, or exhibiting abnormal usage patterns. This suggests the account might be compromised or misused.
Attacker in the Middle: Detects signs of a man-in-the-middle (MITM) attack, where an attacker intercepts or manipulates communication between the user and the authentication service. This alert often involves suspicious activity related to session tokens, certificates, or authentication workflows.
Leaked Credentials: Detects user accounts associated with known credential breaches.
Microsoft Entre Threat Intelligence: Leverages intelligence from Azure AD to detect patterns linked to known attack methods or actors.
Primary Refresh Token (PRT) Access Attempts: Monitors for potential attempts to misuse refresh tokens, a key indicator of session hijacking.
Suspicious API traffic: Detects abnormal GraphAPI traffic or directory enumeration is observed.
Suspicious sending patterns: Someone in your organization sent suspicious email and is either at risk of being or is restricted from sending email. (Defender for Office)
User reported suspicious activity: A user denies a multifactor authentication (MFA) prompt and reports it as suspicious activity.
Azure logon error codes
Other Entra ID / Azure AD SignIn errors
Recap - On-Prem Identity protections & Cloud Identity protections
Craig from clouditpro.com did an excellent job summarizing the two different Microsoft identity protection products, what they protect and how they merge in the Defender XDR platform.
Review Questions
Question 1
Which Microsoft Defender for Identity report shows every modification made to sensitive groups, including administrator groups and manually tagged users or groups?
Answer: The Modifications to sensitive groups report.
Question 2
What is the primary purpose of the Risky users report in Microsoft Entra ID Identity Protection?
Answer: To review risky sign-ins and classify users as safe or compromised based on investigation results and console-provided signals.
Question 3
Which filter option in the Risky users report indicates that a user mitigated risk by completing a protected remediation action?
Answer: User performed secured password reset.
Question 4
You are configuring Microsoft Defender for Identity (MDI) and want to create exploitable accounts for deception purposes. You tag specific accounts as Honey token accounts using Entity Tags in the MDI portal. Does this meet the requirement?
Answer: Yes.
Question 5
You want to configure exploitable accounts for Defender for Identity by using Azure AD Identity Protection sign-in risk policies. Does this achieve the goal?
Answer: No.
Question 6
You add exploitable accounts to an Active Directory group and mark the group as a sensitive group in Defender for Identity. Does this configuration meet the deception requirement?
Answer: No.
Question 7
When adding the Microsoft Entra ID data connector in Microsoft Sentinel, into which Log Analytics table is the ingested data stored?
Answer: The SecurityAlert table.
Question 8
While configuring UEBA in Microsoft Sentinel, you receive an error stating that Microsoft Defender for Identity (MDI) is required. What two actions should you verify?
Answer:
Ensure the Defender for Identity sensor is installed on the Active Directory domain controller.
Ensure the Azure tenant is onboarded to Microsoft Defender for Identity.
References
Microsoft Entra ID Protection vs. Microsoft Defender for Identity
Track changes to sensitive groups with Advanced Hunting in Microsoft 365 Defender
Putting the “Identity” in Identity Threat Detection and Response with Microsoft Entra ID
Azure AD Identity Protection Integrations with Microsoft Security Solutions: https://samilamppu.com/2022/11/22/azure-ad-identity-protection-integration-with-microsoft-security-solutions/