What's New in Microsoft Defender for Identity in July 2022

Reading Time: 2 minutes

Microsoft Defender for Identity

Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.

It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.

Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).

What’s New

In July 2022, two new versions of Microsoft Defender for Identity were released:

  1. Version 2.184, released on July 10, 2022
  2. Version 2.185, released on July 18, 2022

These releases introduced the following functionality:

NEW SECURITY Assessments

Since version 2.184, Defender for Identity now includes unsecure domain configuration assessments.

Microsoft Defender for Identity continuously monitors your environment to identify domains with configuration values that expose a security risk, and reports on these domains to assist you in protecting your environment.

Npcap instead of WinPcap

Starting with version 2.184, the Defender for Identity installation package will now install the Npcap component instead of the WinPcap drivers.

Wrongfully detected MacOS devices

In version 2.185, an issue was fixed where the Suspected Golden Ticket usage (nonexistent account) (external ID 2027) detection would wrongfully detect macOS devices.

Disable user now separated into disable and suspend

The Defender for Identity team decided to divide the Disable User action on the user page into two different actions:

  1. Disable User
    This disables the user in Active Directory.
  2. Suspend User 
    This disables the user in Azure AD.

The time it takes to sync from Active Directory to Azure Active Directory can be crucial, so now defenders can choose to disable users one after the other, to remove the dependency on the synchronization between Active Directory and Azure AD.

A user disabled only in Azure AD will be overwritten by Active Directory, if the user is still active in Active Directory.


Both July 2022 Defender for Identity versions releases include improvements and bug fixes for the internal sensor infrastructure.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.