Microsoft Defender for Identity
Microsoft Defender for Identity (MDI) is a cloud-powered sensor that sits on your Domain Controllers, analyzing every authentication and directory operation to detect AD attacks in real time.
Microsoft Defender for Identity (formerly Azure ATP, formerly ATA) is a security product that monitors your Active Directory for attacks. You install a lightweight sensor on each Domain Controller, and it captures all authentication traffic and directory operations. MDI uses machine learning to build behavioral profiles: it knows which computers each user normally logs into, what SPNs they access, and what LDAP queries they run. When something deviates from normal — like a user suddenly querying every SPN in the domain (Kerberoasting) or a non-DC account requesting replication data (DCSync) — MDI generates an alert. It detects over 100 known AD attack techniques with built-in detection rules.
Imagine replacing your building's security camera operator — who watches feeds and sometimes misses things — with an AI system that has memorized every employee's face, knows their normal schedule, understands every door they typically use, and instantly alerts when someone is in the wrong place at the wrong time. MDI is that AI: it learns normal behavior patterns for every user and computer in your domain, then detects deviations that indicate reconnaissance, lateral movement, credential theft, and domain dominance attacks.
Key Takeaways
- MDI monitors Domain Controllers in real time, detecting 100+ known AD attack techniques.
- Uses behavioral analytics to learn normal patterns and detect deviations.
- Detects DCSync, Golden Ticket, Kerberoasting, lateral movement, and reconnaissance.
- Lightweight sensor installs directly on DCs with ~10% CPU overhead.
- Integrates with Microsoft 365 Defender for cross-product security correlation.
MDI provides enterprise-grade AD attack detection out of the box, covering techniques that would require extensive custom SIEM rules to detect manually. For organizations with Microsoft 365 E5, it is the fastest path to comprehensive AD monitoring.