1.3 Defender for Identity
Defender for Identity detects threats within on-premises Active Directory environments. It catches lateral movement, credential theft, privilege escalation, and reconnaissance within the AD infrastructure. If your organisation runs a hybrid environment where Entra ID syncs with on-premises AD, this is critical — attacks frequently start on-prem and pivot to the cloud.
Most enterprise breaches involve lateral movement between on-premises AD and cloud services. Defender for Identity is what gives you visibility into the on-prem side of that chain. Without it, you see the cloud sign-in but not the Pass-the-Hash that preceded it.
Core components
Sensor. Installed directly on domain controllers (or as a standalone sensor). It captures and analyses network traffic to and from DCs: authentication requests (Kerberos, NTLM), LDAP queries, DNS lookups, and directory replication traffic.
Detection Engine. Identifies attack techniques including Pass-the-Hash, Pass-the-Ticket, Golden Ticket, Kerberoasting, DCSync, reconnaissance via LDAP and DNS enumeration, brute force, and suspicious service creation. These are the techniques covered in the on-prem AD threats scenario (Module 19).
Figure 1.3: Attack techniques detected by Defender for Identity and its proactive assessment capabilities.
Lateral Movement Paths. Maps potential paths an attacker could take from a compromised low-privilege account to high-value targets like domain admins and sensitive groups. This is one of the most valuable features for security posture assessment — it shows you the attack paths that exist before anyone exploits them.
Entity Behaviour Analytics. Baselines normal behaviour for each user and device. Detects anomalies that may indicate compromise: unusual access patterns, time-of-day anomalies, atypical resource access.
Key data tables for investigation
IdentityLogonEvents — authentication events from on-prem ADIdentityDirectoryEvents — AD directory changesIdentityQueryEvents — LDAP and DNS query activity
How it connects to the ecosystem
Alerts feed into the Defender XDR unified incident queue. On-prem identity alerts correlate with Entra ID cloud sign-in alerts for full hybrid attack chain visibility. Lateral movement path data enriches endpoint investigations. Sensor data flows to Sentinel via the M365 Defender connector.
Licensing
Included in M365 E5, or available as a standalone add-on. Requires sensor installation on domain controllers — this is an infrastructure dependency you need to plan for.
Key takeaways
- Defender for Identity provides visibility into on-premises AD — the blind spot in cloud-only monitoring
- Detects credential theft techniques (Pass-the-Hash, Kerberoasting, DCSync) that precede cloud compromise
- Lateral movement path analysis shows attack paths before they are exploited
- Requires physical sensor installation on domain controllers
- On-prem alerts correlate with cloud sign-in alerts in Defender XDR for full hybrid visibility
Check your understanding
1. What infrastructure does Defender for Identity require that the other Defender products do not?
2. An attacker compromises a help desk account and uses it to reach a domain admin account. Which Defender for Identity feature would have identified this risk before the attack?