This chapter covers Microsoft Defender for Identity, a cloud-based security solution that protects on-premises Active Directory environments from advanced identity threats. For the SC-900 exam, this topic appears in about 5-8% of questions within Domain 3 (Security Solutions). You need to understand its core capabilities, deployment architecture, and how it integrates with the Microsoft 365 Defender suite to detect and respond to identity-based attacks like pass-the-hash, golden ticket, and privilege escalation.
Jump to a section
Imagine a corporate office building with 500 employees, each having an ID badge that grants access to specific floors and rooms. The building has a central security desk where a guard monitors a CCTV system covering all entrances, corridors, and sensitive areas. The guard does not just watch live feeds; the system records every badge swipe, door open, and motion event. It learns typical employee movements—like John always enters at 8 AM and goes to the 3rd floor, and Sarah never accesses the server room. One day, the system detects that John's badge swipes into the server room at 2 AM, while CCTV shows someone who is not John. The guard immediately receives an alert, reviews the footage, and confirms an anomaly: the badge is cloned. The guard then locks the badge, notifies the security team, and isolates the threat. This mirrors Microsoft Defender for Identity: it monitors Active Directory signals (badge swipes), learns behavioral baselines (typical access patterns), detects anomalies (unusual logins, lateral movement), and triggers automated responses (disable account, alert SOC). The guard's ability to correlate badge data with video is like Defender for Identity correlating on-premises AD logs with cloud signals from Microsoft 365 Defender.
What is Microsoft Defender for Identity?
Microsoft Defender for Identity (MDI) is a cloud-based security solution that leverages your on-premises Active Directory (AD) signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. It was formerly known as Azure Advanced Threat Protection (Azure ATP) and is part of the Microsoft 365 Defender suite. MDI uses machine learning and behavioral analytics to profile normal user and entity behavior and then identifies suspicious activities that deviate from those baselines.
Why It Exists
Traditional perimeter defenses are insufficient against modern identity attacks. Attackers often compromise a single user credential and then move laterally across the network, escalating privileges until they reach domain admin. MDI fills the gap by monitoring AD traffic, Windows Event Logs, and other signals to detect attacks that traditional antivirus or firewalls miss. It provides a dedicated identity threat detection and response (ITDR) capability.
How It Works Internally
MDI consists of sensors installed on domain controllers (DCs) or on dedicated servers that monitor network traffic and Windows events. The sensors forward parsed data to the MDI cloud service for analysis. Here is the step-by-step mechanism:
1. Sensor Installation and Configuration: You install the MDI sensor on each domain controller or on a dedicated server (standalone sensor) that receives mirrored traffic from DCs via port mirroring. The sensor requires .NET Framework 4.7 or later and at least 2 cores and 6 GB RAM for DCs with up to 100,000 users. 2. Data Collection: The sensor captures network traffic using Windows Packet Filter (WinPcap) or Npcap. It listens on port 88 (Kerberos), 389 (LDAP), 445 (SMB), and others. It also collects Windows Event IDs from the security log: 4624 (successful logon), 4625 (failed logon), 4672 (special privileges assigned), 4776 (credential validation), and others. Additionally, it queries AD for entity attributes like group memberships and trust relationships. 3. Parsing and Filtering: The sensor parses the raw packets to extract authentication requests, Kerberos tickets, NTLM authentications, and SMB sessions. It filters out noise and sends only security-relevant events to the cloud service over HTTPS (port 443) using certificate-based authentication. 4. Cloud Analysis: The MDI cloud service receives the data and applies behavioral analytics, machine learning models, and threat intelligence from Microsoft. It builds a baseline of normal behavior for each user and device over a period (typically 14-30 days). Then it compares real-time events against that baseline. 5. Alert Generation: When an event deviates significantly from the baseline, MDI generates an alert. Examples include: - Suspicious Kerberos activity: e.g., unusual Kerberos ticket requests that could indicate a Golden Ticket attack. - Pass-the-Hash: detection of NTLM authentication using a hash that was previously observed on a different machine. - Privilege escalation: e.g., a standard user suddenly adds themselves to the Domain Admins group. - Honeytoken activity: MDI supports setting fake accounts or groups (honeytokens) that should never be used; any activity on them triggers a high-severity alert. 6. Investigation and Response: Security analysts can investigate alerts in the Microsoft 365 Defender portal (security.microsoft.com). MDI provides a timeline of entity activities, lateral movement paths, and related alerts. It integrates with Microsoft Defender for Identity's automatic response actions, such as disabling a compromised user account or initiating an investigation with Microsoft 365 Defender's automated investigation and response (AIR).
Key Components, Values, and Defaults
Sensors: Two types – DC sensor (installed directly on domain controller) and standalone sensor (for environments where direct installation is not possible, using port mirroring).
Data retention: MDI stores alerts and activities for up to 180 days in the cloud service.
Supported domain controllers: Windows Server 2012 R2, 2016, 2019, 2022. Windows Server 2008 R2 requires a standalone sensor.
Minimum sensor requirements: 2 cores, 6 GB RAM for up to 100,000 users; for larger environments, scale up to 4 cores, 12 GB RAM per 100,000 users.
Ports used: Sensor to cloud: 443 (HTTPS). Sensor to DC: 88 (Kerberos), 389 (LDAP), 445 (SMB), 135 (RPC), and others.
Event IDs collected: 4624, 4625, 4634, 4647, 4672, 4776, 4768, 4769, 4771, 4772, 5136, 5137, 5140, 5145, 5156.
Default alert severity: High, Medium, Low. High severity includes Golden Ticket, Skeleton Key, and privilege escalation.
Configuration and Verification Commands
To verify sensor health, you can use PowerShell cmdlets from the MDI sensor module:
Get-MDISensorStatusThis returns the sensor health, last activity time, and configuration status.
To check if the sensor is receiving traffic:
Get-MDINetworkActivityThis shows recent network captures.
In the Microsoft 365 Defender portal, navigate to Settings > Identities > Sensors to view sensor status (green=healthy, yellow=warning, red=error).
Interaction with Related Technologies
MDI integrates deeply with: - Microsoft 365 Defender: Alerts from MDI appear in the unified incident queue alongside alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Cloud Apps. - Azure Active Directory (Azure AD): MDI can trigger conditional access policies via risk detection. For example, if MDI detects a suspicious logon, it can signal Azure AD Identity Protection to enforce MFA on the next login. - Microsoft Defender for Cloud Apps: MDI alerts can be correlated with cloud app activities to detect hybrid attacks. - Windows Defender Firewall: MDI can automatically block IP addresses associated with malicious activity on the network. - SIEM integration: MDI forwards alerts to Azure Sentinel or third-party SIEMs via CEF or Syslog.
Exam-Relevant Details
MDI is not an agent-based solution on workstations; it monitors network traffic to and from domain controllers only.
It does not require any changes to client machines.
The sensor can be installed on a read-only domain controller (RODC) but with limited detection capabilities (no Kerberos analysis).
MDI supports multiple forests with cross-forest trust relationships.
The honeytoken feature is a key exam point: you can configure fake accounts or groups that should never be used; any authentication attempt using them triggers a high-severity alert.
The lateral movement path (LMP) report shows how an attacker could move from a compromised account to a high-value target like a domain admin. This is a unique MDI capability.
MDI uses machine learning for baseline modeling but also has deterministic detection for known attack patterns (e.g., overpass-the-hash).
Common Misconfigurations
Not enabling port mirroring for standalone sensors, causing incomplete traffic capture.
Using a proxy that strips TLS inspection, breaking sensor-to-cloud communication.
Failing to exclude MDI sensor traffic from network monitoring solutions to avoid double-sensor issues.
Not configuring honeytokens, missing a simple detection opportunity.
Overlooking sensor updates: sensors auto-update from the cloud, but if the sensor cannot reach the update endpoint, it may fall behind.
Install MDI Sensor on DC
Download the sensor installer from the Microsoft 365 Defender portal. Run the installer on each domain controller. During installation, you provide an access key generated from the portal. The sensor registers with the cloud service using this key. The sensor then installs WinPcap or Npcap to capture network traffic. After installation, the sensor begins collecting events and sending them to the cloud. You can verify successful registration by checking the sensor status in the portal.
Sensor Captures Network Traffic
The sensor uses WinPcap to capture packets on the network interface(s) of the domain controller. It listens on ports used by Kerberos (UDP/TCP 88), LDAP (389), SMB (445), and others. The sensor filters out non-AD traffic to reduce noise. It also subscribes to Windows Security Event Log to capture events like logon/logoff, account management, and Kerberos ticket requests. The sensor parses these packets and events into structured data.
Data Sent to MDI Cloud Service
The sensor compresses and encrypts the parsed data and sends it over HTTPS (port 443) to the MDI cloud service. The cloud endpoint is typically `atp.azure.com` or similar. The sensor uses certificate-based authentication to ensure secure communication. If the sensor cannot reach the cloud, it buffers data locally for up to 48 hours (default) and retries periodically. The cloud service validates the sensor identity and processes the data.
Cloud Analyzes and Generates Alerts
The MDI cloud service applies machine learning models and behavioral baselines to the incoming data. For each user, device, and resource, it maintains a profile of normal behavior. When an event deviates (e.g., a user logs in from an unusual location at 3 AM, or an account attempts to enumerate all domain admins), the system correlates it with known attack patterns. If the anomaly score exceeds a threshold, an alert is generated with a severity level. The alert includes details like affected entities, MITRE ATT&CK technique, and recommended actions.
Respond via Microsoft 365 Defender
Alerts appear in the Microsoft 365 Defender portal under Incidents. Security analysts can investigate using the timeline and lateral movement path graph. They can trigger automatic responses like disabling the compromised account, forcing password reset, or isolating the device. MDI also supports integration with Azure AD Identity Protection to enforce conditional access policies. For example, a high-severity alert can automatically trigger a risk-based conditional access policy requiring MFA.
Enterprise Scenario 1: Detecting Pass-the-Hash Attack
A large enterprise with 50,000 users and 200 domain controllers deploys MDI sensors on all DCs. One day, MDI detects a series of NTLM authentications where the same NTLM hash is used from multiple workstations that have no administrative relationship. This is a classic pass-the-hash attack. The alert includes the source IPs and the compromised account. The SOC team immediately disables the account and investigates the workstations. MDI's lateral movement path graph shows that the attacker used the compromised account to access a file server and then attempted to dump credentials. The integration with Microsoft 365 Defender allows the SOC to isolate the affected machines automatically. The attack is contained within 15 minutes, preventing privilege escalation to domain admin.
Enterprise Scenario 2: Golden Ticket Detection
A financial institution with strict compliance requirements uses MDI to monitor Kerberos activity. MDI detects an unusual Kerberos ticket request where the ticket's validity period is set to 10 years (default is 10 hours) and the ticket contains elevated privileges for a standard user. This is a Golden Ticket attack. MDI generates a high-severity alert. The SOC reviews the alert and confirms that the domain controller's KRBTGT account hash was compromised. They reset the KRBTGT password twice (as per Microsoft best practice) and revoke all existing Kerberos tickets. MDI's integration with Azure Sentinel allows them to create a custom analytics rule for future detection.
Scenario 3: Misconfiguration Consequences
A mid-size company deploys MDI but fails to configure port mirroring for the standalone sensor. As a result, the sensor only captures events from the Windows Event Log, missing crucial network-level indicators like SMB sessions and Kerberos ticket requests. MDI generates fewer alerts, and a lateral movement attack goes undetected for weeks. When the company finally enables port mirroring, MDI immediately detects multiple suspicious activities. This highlights the importance of proper network traffic capture for full detection coverage. Additionally, the company did not configure honeytokens, missing an easy detection opportunity for attackers probing the environment.
What SC-900 Tests on Microsoft Defender for Identity
SC-900 objective 3.3 focuses on describing the capabilities of Microsoft Defender for Identity. The exam expects you to know: - What MDI is: a cloud-based security solution that protects on-premises Active Directory from identity threats. - How it is deployed: via sensors on domain controllers or standalone sensors with port mirroring. - What it detects: advanced attacks like pass-the-hash, golden ticket, skeleton key, overpass-the-hash, and privilege escalation. - Key features: honeytokens, lateral movement path (LMP), behavioral baselines, and integration with Microsoft 365 Defender. - Integration points: Azure AD Identity Protection, Microsoft Defender for Cloud Apps, Azure Sentinel.
Common Wrong Answers and Why Candidates Choose Them
"MDI requires an agent on every workstation." – Wrong. MDI monitors network traffic to/from domain controllers, not endpoints. Candidates confuse it with Microsoft Defender for Endpoint which requires an agent.
"MDI is a cloud-only solution that does not require on-premises infrastructure." – Wrong. MDI requires on-premises sensors to capture AD traffic. Candidates may think it works entirely in the cloud because it's a cloud service.
"MDI can replace your antivirus." – Wrong. MDI focuses on identity threats, not malware. Candidates may overgeneralize its capabilities.
"MDI only works with Azure AD, not on-premises AD." – Wrong. MDI is specifically designed for on-premises AD. Candidates confuse it with Azure AD Identity Protection.
Specific Numbers, Values, and Terms on the Exam
Sensor types: DC sensor and standalone sensor.
Default data retention: 180 days for alerts and activities.
Minimum sensor RAM: 6 GB for up to 100,000 users.
Ports monitored: 88 (Kerberos), 389 (LDAP), 445 (SMB).
Event IDs: 4624, 4776, 4768, 4769 (know these by name, not number).
Honeytoken: a fake account or group that triggers an alert when used.
Lateral movement path: a graph showing potential attack paths.
Edge Cases and Exceptions
MDI can monitor read-only domain controllers (RODCs) but with limited detection (no Kerberos analysis).
MDI supports multiple forests with cross-forest trusts.
MDI does not support Azure AD-only environments; it requires on-premises AD.
If the sensor cannot reach the cloud, it buffers data for up to 48 hours.
How to Eliminate Wrong Answers
When you see an answer that mentions "agent on every device" or "replaces antivirus," it is almost certainly wrong. Focus on answers that mention "domain controller traffic," "behavioral analytics," or "on-premises Active Directory." Remember that MDI is about identity threats, not endpoint protection. Eliminate answers that describe features of Microsoft Defender for Endpoint (like file scanning) or Microsoft Defender for Office 365 (like email filtering).
Microsoft Defender for Identity (MDI) protects on-premises Active Directory from identity threats using behavioral analytics and machine learning.
MDI is deployed via sensors on domain controllers or standalone sensors with port mirroring.
Key capabilities include detection of pass-the-hash, golden ticket, skeleton key, and privilege escalation attacks.
MDI uses honeytokens (fake accounts/groups) to detect attackers probing the environment.
The lateral movement path (LMP) feature maps how an attacker could move from a compromised account to a high-value target.
MDI integrates with Microsoft 365 Defender, Azure AD Identity Protection, and Azure Sentinel.
Data retention for alerts and activities is 180 days.
MDI is included in Microsoft 365 E5 and Enterprise Mobility + Security E5.
No agent is required on workstations; only sensors on domain controllers.
MDI does not replace antivirus or endpoint protection solutions.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Defender for Identity
Protects on-premises Active Directory
Uses sensors on domain controllers
Detects advanced attacks like pass-the-hash and golden ticket
Provides lateral movement path analysis
Integrates with Microsoft 365 Defender
Azure AD Identity Protection
Protects cloud-based Azure AD identities
Uses cloud signals and user risk policies
Detects risky sign-ins and compromised credentials
Does not provide lateral movement analysis
Integrates with Conditional Access and Identity Governance
Mistake
Microsoft Defender for Identity requires an agent on every workstation.
Correct
MDI uses sensors installed on domain controllers or standalone sensors that capture network traffic. No agent is required on workstations.
Mistake
MDI is a cloud-only solution that works without any on-premises infrastructure.
Correct
MDI requires on-premises sensors to capture Active Directory traffic. The analysis is in the cloud, but the data collection is on-premises.
Mistake
MDI can replace traditional antivirus or endpoint protection.
Correct
MDI focuses solely on identity-based attacks against Active Directory. It does not scan files, block malware, or protect endpoints from viruses.
Mistake
MDI works with Azure AD only, not on-premises AD.
Correct
MDI is specifically designed to protect on-premises Active Directory. Azure AD Identity Protection is the cloud counterpart for Azure AD.
Mistake
MDI requires a separate subscription and is not included in Microsoft 365 E5.
Correct
MDI is included in Microsoft 365 E5 and Enterprise Mobility + Security E5. It does not require an additional purchase if you have these licenses.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Microsoft Defender for Identity (MDI) is a cloud-based security solution that protects on-premises Active Directory from advanced identity threats. It uses sensors on domain controllers to capture network traffic and Windows events, then applies behavioral analytics to detect attacks like pass-the-hash and golden ticket. Azure AD Identity Protection, on the other hand, protects cloud-based Azure AD identities by evaluating sign-in risks and user risks. MDI focuses on on-premises AD while Azure AD Identity Protection focuses on cloud identities. Both are part of the Microsoft 365 Defender suite and can integrate with each other.
No. MDI does not require any agent or software on client workstations. It monitors network traffic to and from domain controllers using sensors installed on the DCs or via port mirroring. This makes it easy to deploy without affecting end-user devices. However, if you want to collect additional data like DNS events, you may need to configure Windows Event forwarding from workstations, but this is optional.
MDI detects a wide range of identity-based attacks, including: pass-the-hash (PTH), overpass-the-hash (OPTH), golden ticket attacks, silver ticket attacks, skeleton key attacks, brute force attacks, privilege escalation (e.g., adding a user to Domain Admins), reconnaissance (e.g., LDAP enumeration), and use of honeytoken accounts. It also detects abnormal behavior like unusual logon times, locations, or devices.
MDI is fully integrated into the Microsoft 365 Defender portal (security.microsoft.com). Alerts from MDI appear in the unified incident queue alongside alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Cloud Apps. This allows security teams to investigate and respond to multi-domain threats from a single pane of glass. MDI also supports automated investigation and response (AIR) within Microsoft 365 Defender.
MDI is included in Microsoft 365 E5, Enterprise Mobility + Security E5, and as a standalone license. If you have Microsoft 365 E5 or EMS E5, you can use MDI without additional cost. For organizations with Microsoft 365 E3, you can purchase MDI as an add-on. There is no per-user or per-device licensing; it is licensed per user or per organization depending on the plan.
Yes. MDI supports environments with multiple Active Directory forests, including those with cross-forest trusts. You need to install sensors in each forest that you want to monitor. The MDI cloud service can correlate activities across forests to detect attacks that span multiple domains.
The sensor buffers data locally for up to 48 hours by default. Once connectivity is restored, the sensor sends the buffered data to the cloud. If the outage exceeds 48 hours, some data may be lost. The sensor status in the portal will show as unhealthy or disconnected. It is recommended to monitor sensor health regularly.
You've just covered Microsoft Defender for Identity — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?