Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.

It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate and remediate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.

Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).

What's New

Defender for Identity's identity security posture assessments proactively detect and recommend actions across your on-premises Active Directory configurations.

The following new security posture assessments are now available in Microsoft Secure Score:

• Do not expire passwords
• Remove access rights on suspicious accounts with the Admin SDHolder permission
• Manage accounts with passwords more than 180 days old
• Remove non-admin accounts with DCSync permissions
• Remove local admins on identity assets
• Start your Defender for Identity deployment

The Microsoft Defender for Identity portal experience and functionality have been converged into Microsoft’s extended detection and response (XDR) platform, Microsoft 365 Defender. As of July 6, 2023, customers using the classic Defender for Identity portal are automatically redirected to Microsoft 365 Defender, with no option to revert back to the classic portal.

The Microsoft 365 Defender global search now supports searching by Active Directory group name. Any groups found are shown in the results on a separate Groups tab. Select an Active Directory group from the search results to see more details, including:

Now, admins can download and schedule periodic Defender for Identity reports from the Microsoft 365 Defender portal, creating parity in report functionality with the classic Defender for Identity portal.

Download and schedule reports in Microsoft 365 Defender from the Settings > Identities > Report management page.

This version includes improvements and bug fixes for cloud services and the Defender for Identity sensor.

This version includes improvements and bug fixes for cloud services and the Defender for Identity sensor.

This version provides the new AccessKeyFile installation parameter. Use the AccessKeyFile parameter during a silent installation of a Defender for Identity sensor, to set the workspace Access Key from a provided text path.

It also includes improvements and bug fixes for cloud services and the Defender for Identity sensor.