Microsoft Defender for Identity: Architecture and Key Capabilities

What is Microsoft Defender for Identity (Azure ATP)?

Microsoft Defender for Identity (previously called Azure Advanced Threat Protection or Azure ATP) is a Microsoft security solution that captures signals from Windows Active Directory deployed on-premise and Azure Active Directory (Azure AD) in the cloud. It processes these signals and uses them to detect, investigate, and respond to threats, including malicious insiders and compromised accounts.

Defender for Identity can help you detect identity-based attacks in a hybrid environment by:

  • Monitoring behavior and activities of users and other entities

  • Analyzing activity and identifying anomalies using advanced analytics based on machine learning

  • Identifying and enabling investigation of identity-related attacks

  • Visualizing the kill chain and attack timeline to help triage and rapidly respond to incidents


Learn more about the Microsoft 365 Defender suite, which includes Defender for Identity and other tools, such as Defender for Endpoint.

How Can Defender for Identity Help Implement Zero Trust?

A zero-trust architecture encourages an organization to act as if a malicious attacker has both internal and external access to the network, assuming that a breach has already occurred.

Traditional defense-in-depth strategies, which involved securing the external network perimeter and trusting entities inside the network, are no longer effective for cybersecurity in the modern IT environment. The key to monitoring security events and defending valuable assets is identity management.

The focus moves to identities

The focus of security has moved from defending the network edge to defending identities. When individuals and machines accessing the network are not implicitly trusted, there is a need to continuously verify identities and ensure each identity only has enough privileges to complete its task.

It can be challenging to achieve this level of identity management and monitoring for organizations of all sizes. Large organizations suffer from budget constraints and a shortage of security talent. In smaller organizations, it can be difficult to create a dedicated security operations center (SOC), as it can require several full time employees. A compelling solution for both scenarios is a managed service provider.

Microsoft’s managed identity security service

Microsoft Defender for Identity is one technology that helps organizations secure and monitor user identities at scale. Organizations using Microsoft 365 applications, or other cloud-based applications, can use an identity-centric approach to evaluate risk profiles related to user sign-in, user behavior, devices, and applications.

Defender for Identity is capable of capturing and analyzing user activity such as authentication attempts or multiple entry points per session, as well as other verified suspicious behaviors, across millions of cloud environments. It leverages Microsoft’s huge threat database to generate intelligence related to identity-related attacks.

Microsoft Defender for Identity provides a set of capabilities when combined with other components of Microsoft 365 Defender, a full-featured extended detection and response (XDR) suite. By correlating data from applications, emails, and endpoints, organizations can gain a comprehensive view of the threat landscape and take action to mitigate and remediate attacks. In addition, real-time analysis of suspicious behavior allows security teams to proactively track threats without waiting for a breach to happen.

Microsoft Defender for Identity Architecture

Microsoft Defender for Identity parses network traffic and obtains Active Directory entities and Windows events directly from domain controllers. It uses multiple approaches, including profiling, static rules, machine learning, and behavioral methods, to detect and alert about suspected security incidents.

Defender for Identity architecture is illustrated in the following diagram.

Diagram Description automatically generated

Image Source: Microsoft

Defender for Identity consists of the following components:

  • Defender for Identity portal—lets you create a Defender for Identity instance, displays data obtained from sensors, shows alerts, and enables investigation of identity-related threats.

  • Defender for Identity sensor—can be directly installed on domain controllers, to directly monitor controller traffic with no special configuration, or on Active Directory Federation Services (AD FS), to monitor traffic and authentication events.

  • Defender for Identity cloud service—runs in the Azure cloud, constantly updated with data from Microsoft Intelligent Security Graph.

  • Syslog integration—Microsoft Defender for Identity can receive data from a Syslog server through a sensor, and notify when it detects suspicious activity.

Using Microsoft Defender for Identity

Create the Microsoft Defender for Identity Instance

To start using the solution, you must create a Defender for Identity instance for your organization. Here is how to do this:

  1. Access the Defender for Identity portal— sign in using an AD user account or a group-managed service account.

  2. Create an instance—request to create a Defender for Identity instance. It uses the fully-qualified domain name of your Azure AD tenant to create an instance in the data center nearest to your Azure AD.

  3. Install sensor software—in the portal you will find a link to download the sensor executable, together with an access key. Run the installation on your domain controller or AD FS server. Provide the access key to allow the software to connect back to your Defender for Identity instance.

  4. Verify sensor status—in the portal, you will see your sensor’s status, version, and health. If the sensor is connected and healthy, you can start working with Defender for Identity.

Working with Alerts

Defender for Identity provides easy-to-use visualizations of suspicious activity on the network. Alerts show the entities involved in a threat and are color coded according to attack phases. Every security alert includes:

  • A title and description of the threat.

  • Threat category, including compromised credentials, reconnaissance, lateral movement, exfiltration, and domain dominance.

  • Evidence collected from the environment and ability to export for further analysis.

  • Details including device name, username, and auto-investigation status.

  • Hierarchical representation of processes, user accounts and machines related to the alert.

Graphical user interface Description automatically generated

Source: Microsoft

After you review an alert, you can classify it as “true positive” (a real threat), “benign true positive” (for example, activity from a penetration test), or “false positive”.

Network Name Resolution (NNR)

NNR lets you analyze and derive security insights from IP-based data. Defender for Identity captures IP data from network traffic, Windows events, and the event tracing for Windows (ETW) protocol. NNR correlates between IP addresses and the computers involved in specific activities, and generates alerts on suspicious events.

NNR lets you choose one of three primary methods to identify the machine behind an IP address: NTLM over RPC, NetBIOS, and RDP.

NNR data can help you detect threats like:

  • Identity theft (pass-the-ticket)

  • Domain Controller Sync (DCSync) attack

  • DNS reconnaissance by attackers


The main benefit of NNR data is that it can improve the level of certainty in security alerts and distinguish false positives from true positives, because they provide computer naming as part of the evidence for the alert. This lets you investigate which device was the real source of a security event.

Microsoft Defender for Identity Reports

The reports section in the portal lets you schedule regular reports or download reports at any time. Reports can provide information about system health, identity-related security alerts, and lateral movement in your environment.

Graphical user interface, application Description automatically generated

Source: Microsoft

Defender for identity provides the following built-in reports:

  • Summary report—dashboard of current status of identity threats.

  • Modification of sensitive groups—provides details about every change to a sensitive identity group, such as an administrators group.

  • Passwords exposed in cleartext—shows credentials stored or sent in unencrypted form.

  • Lateral movement paths to sensitive accounts—lists accounts currently exposed to lateral movement by attackers due to identity compromise.